- Cisco Talos warns of Firestarter, a new malware targeting unpatched Firepower and Secure Firewall device
- UAT‑4356 group exploited flaws CVE‑2025‑20333 and CVE‑2025‑20362 to deploy Line Viper before dropping Firestarter
- CISA confirmed exploitation against at least one federal agency
Security researchers have warned of Firestarter, a brand new custom-built malware which targets unpatched Cisco Firepower and Secure Firewall devices, persisting over reboots, security patches, and even firmware updates.
Experts from Cisco Talos flagged Firestarter only works on devices running Adaptive Security Appliance (ASA), or Firepower Threat Defense (FTD) software. It was built by a threat actor tracked as UAT-4356, a group Cisco has been warning about for at least two years now.
In mid-2024, Cisco said that sophisticated threat actors with possible ties to eastern nation-states were abusing two flaws in Cisco VPNs and firewalls to drop malware. The same group, which is also being tracked as STORM-1849, abused two flaws at the time: CVE-2024-20353 and CVE-2024-20359.
Article continues below
Confirming the breach
This time around, they are abusing a missing authorization issue tracked as CVE-2025-20333, and a buffer overflow bug tracked as CVE-2025-20362, to first deploy Line Viper (a user-mode shellcode loader), before dropping Firestarter.
Line Viber was said to be able to run CLI commands, capture packets, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, steal user CLI commands, and force a delayed device restart.
For at least one Federal Civilian Executive Branch (FCEB) agency, the devices were compromised in the window of time between the patch being released, and being deployed on the devices:
“CISA has not confirmed the exact date of initial exploitation but assesses the compromise occurred in early September 2025, and before the agency implemented patches in accordance with ED 25-03,” CISA said in its security advisory.
By tweaking the startup mount list, the malware makes sure it persists even after reboots.
Those running Firepower and Secure Firewall, and looking for mitigations and workarounds, should read Cisco’s security advisory here. The company said it “strongly recommends” reimaging and upgrading the device using the fixed releases.
Via The Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/kCbP2VkzMgQpYqJDgMQ8UZ-2560-80.jpg
Source link
