Firestarter malware survives Cisco firewall updates, security patches

Cybersecurity agencies warn of a sophisticated backdoor named Firestarter used by a threat actor Cisco Talos calls UAT-4356 to maintain persistent access on Cisco ASA/FTD devices. The attacker chain included exploiting CVE-2025-20333 and/or CVE-2025-20362, deploying a user-mode loader (Line Viper) to harvest credentials and keys, and installing an ELF implant that hooks into the LINA process to survive reboots, firmware updates, and patches; CISA/NCSC and Cisco published detection YARA rules, IOCs, and remediation guidance including reimaging.