US, UK agencies warn hackers were hiding on Cisco firewalls long after patches were applied

A joint CISA and UK NCSC analysis identifies a persistent backdoor, "Firestarter," implanted by a state-linked threat actor (UAT-4356) on Cisco Firepower and ASA devices; the implant survives software updates and standard reboots by modifying the Service Platform mount list and injecting code into core networking components, allowing attackers to execute commands when triggered. The campaign exploited CVE-2025-20333 and CVE-2025-20362 for initial access, is tied to earlier espionage activity (ArcaneDoor/RayInitiator), has been observed redeploying implants months after initial compromise, and is actively exploited against government and critical infrastructure — Cisco recommends reimaging affected devices and agencies were ordered to audit and submit memory snapshots.