New 'Firestarter' malware flames on in spite of Cisco firewall updates and security patches
Date:
Mon, 27 Apr 2026 15:25:00 +0000
Description:
Security pros are warning about custom malware targeting Cisco firewalls, and surviving upgrades and reboots.
FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Cisco Talos warns of Firestarter, a new malware targeting unpatched Firepower and Secure Firewall device UAT4356 group exploited flaws CVE202520333 and CVE202520362 to deploy Line Viper before dropping Firestarter CISA confirmed exploitation against at least one federal agency Security researchers have warned of Firestarter, a brand new custom-built malware which targets unpatched Cisco Firepower and Secure Firewall devices, persisting over reboots, security patches, and even firmware updates.
Experts from Cisco Talos flagged Firestarter only works on devices running Adaptive Security Appliance (ASA), or Firepower Threat Defense (FTD)
software. It was built by a threat actor tracked as UAT-4356, a group Cisco has been warning about for at least two years now. In mid-2024, Cisco said that sophisticated threat actors with possible ties to eastern nation-states were abusing two flaws in Cisco VPNs and firewalls to drop malware. The same group, which is also being tracked as STORM-1849, abused two flaws at the time: CVE-2024-20353 and CVE-2024-20359. Article continues below You may like Cisco warns of critical SD-WAN security flaw which has been open since 2023 Batten down the hatches - ransomware attacks are increasingly targeting firewalls, experts claim Fortinet patches FortiGate Firewall vulnerabilities that allowed hackers to steal enterprise credentials Confirming the breach This time around, they are abusing a missing authorization issue tracked as CVE-2025-20333, and a buffer overflow bug tracked as CVE-2025-20362, to first deploy Line Viper (a user-mode shellcode loader), before dropping
Firestarter.
Line Viber was said to be able to run CLI commands, capture packets, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, steal user CLI commands, and force a delayed device restart.
For at least one Federal Civilian Executive Branch (FCEB) agency, the devices were compromised in the window of time between the patch being released, and being deployed on the devices:
CISA has not confirmed the exact date of initial exploitation but assesses
the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03, CISA said in its security advisory.
By tweaking the startup mount list, the malware makes sure it persists even after reboots.
Those running Firepower and Secure Firewall, and looking for mitigations and workarounds, should read Ciscos security advisory here . The company said it strongly recommends reimaging and upgrading the device using the fixed releases.
Via The Hacker News The best antivirus for all budgets Our top picks, based on real-world testing and comparisons
Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/new-firestarter-malware-flames-on-in-sp ite-of-cisco-firewall-updates-and-security-patches
--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)