A state-sponsored hacking group has successfully implanted a sophisticated backdoor, codenamed Firestarter, onto Cisco network security devices. This malware is capable of persisting through firmware updates and standard reboots, raising significant concerns for government and critical infrastructure networks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre disclosed this discovery on Thursday, highlighting an alarming escalation in the group’s activities.
The malware analysis report, jointly published by CISA and the UK’s National Cyber Security Centre, identifies Firestarter as the name for the custom backdoor. Cisco’s threat intelligence division, Talos, attributes the tool to a threat actor it tracks as UAT-4356. Talos also linked this same group to a 2024 espionage campaign known as ArcaneDoor, which specifically targeted network perimeter devices.
Firestarter: A Persistent Threat on Cisco Devices
CISA confirmed that Firestarter was discovered on a Cisco Firepower device belonging to a U.S. federal civilian agency. The finding occurred during routine network monitoring, which detected suspicious connections. This discovery led CISA to issue an updated emergency directive on Thursday. The directive mandates that all federal civilian agencies must audit their Cisco firewall infrastructure and submit device memory snapshots for analysis by Friday.
The primary concern driving this directive is the attack group’s ability to maintain control over compromised devices. This persistence is achieved even after organizations applied security patches released by Cisco in September 2025. These patches were intended to fix two critical vulnerabilities: CVE-2025-20333, a remote code execution flaw in the VPN web server component, and CVE-2025-20362, which allowed for unauthorized access. According to CISA, devices that were compromised before these patches were applied may still harbor the Firestarter implant.
How the Backdoor Achieves Persistence
Firestarter operates by manipulating the Cisco Service Platform mount list, a configuration file that dictates which programs run when a device boots up. When a compromised device receives a termination signal or undergoes a reboot, the malware copies itself to a secondary, hidden location. It then alters the mount list to ensure its own restoration and subsequent execution once the system restarts.
Crucially, a standard software reboot is insufficient to remove the implant. Both CISA and Cisco have stated that only a hard reboot, which involves physically disconnecting the device from its power source, is effective in clearing the persistence mechanism from memory.
Once established, the malware injects malicious shellcode into LINA, the core networking and firewalling code within Cisco’s Adaptive Security Appliance and Firepower Threat Defense software. This embedded code allows the malware to intercept specific types of network requests, particularly those used for VPN authentication. When a request containing a hidden trigger sequence is received, the malware executes code provided by the attackers, effectively creating a backdoor into the device.
Ties to ArcaneDoor Campaign
Cisco Talos has noted significant technical similarities between Firestarter and a previously documented implant named RayInitiator. This suggests that both tools may originate from the same development history within UAT-4356’s toolkit.
In the specific federal agency incident investigated by CISA, attackers initially deployed a separate implant called Line Viper. This implant was used to gain access to device configurations, credentials, and encryption keys. Firestarter was installed shortly after, preceding the application of Cisco’s September 2025 patches to those affected devices. Even after the agency patched its systems, Firestarter remained, enabling the attackers to redeploy Line Viper in March, nearly six months after the initial intrusion.
Cisco and CISA have not publicly attributed these espionage attacks to a specific nation-state. However, researchers from Censys previously reported finding strong evidence that a China-based threat group was responsible for the ArcaneDoor campaign. Their investigation into the early 2024 attacks reportedly uncovered evidence of multiple major Chinese networks and anti-censorship software developed in China.
The range of Cisco hardware affected by this persistence vulnerability includes the Firepower 1000, 2100, 4100, and 9300 series, as well as the Secure Firewall 1200, 3100, and 4200 series. Cisco has released updated software designed to address the persistence mechanism. However, the company strongly advises reimaging affected devices rather than solely relying on software updates if compromise is suspected.
This incident highlights a growing trend among state-linked hackers: targeting network edge devices that organizations depend on for their security perimeters. Compromising these devices can expose internal network traffic and provide attackers with a vantage point to intercept sensitive credentials and communications.
CISA acknowledged that active exploitation of the underlying vulnerabilities was ongoing at the time of the report’s publication. Organizations are advised to follow CISA’s emergency directive and Cisco’s guidance to secure their networks. The next expected steps involve agencies submitting device memory snapshots for analysis and implementing the recommended remediation strategies. The situation remains dynamic, and further updates from U.S. and UK cybersecurity authorities are anticipated.