Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter persisting on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. The backdoor has been attributed to a threat actor that Cisco Talos tracks internally as UAT-4356, known for cyberespionage campaigns, including ArcaneDoor. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Center (NCSC) believe that the adversary obtained initial access by exploiting a missing authorization issue (CVE-2025-20333) and/or a buffer overflow bug (CVE-2025-20362). In one incident at a federal civilian executive branch agency, CISA observed the threat actor first deploying the Line Viper malware, a user-mode shellcode loader, and then using Firestarter, which enables continued access even after patching. “CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03,” the agency notes in an alert. Line Viper is used to establish VPN sessions and access all configuration details, including administrative credentials, certificates, and private keys on compromised Firepower devices. Next, the ELF binary for the Firestarter backdoor is deployed for persistence, allowing the threat actor to regain access when needed. Once Firestarter nests on the devices, it maintains persistence across reboots, firmware updates, and security patches. Furthermore, the backdoor relaunches automatically if terminated.