New Linux FIRESTARTER Backdoor Targets Cisco Firepower Devices

Staff Editor 2026-04-28
New Linux FIRESTARTER Backdoor Targets Cisco Firepower Devices

New Linux FIRESTARTER Backdoor Targets Cisco Firepower Devices

https://hackread.com/linux-firestarter-backdoor-cisco-firepower-devices/

Publish Date: 2026-04-28 07:41:00

Source Domain: hackread.com

The US Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) released a joint malware analysis report on 23 April 2026 regarding a dangerous new threat- a Linux-based ELF file called FIRESTARTER.

This malware is, reportedly, the current favourite of Advanced Persistent Threat (APT) actors as it allows them to maintain persistence on Cisco Firepower and Secure Firewall devices running firmware like Adaptive Security Appliance/ASA (software that handles basic firewall and VPN tasks) or Firepower Threat Defense/FTD (an advanced firewall system that combines multiple security features).

Attack Details

The agencies detected this campaign in early September 2025. As per their research, initial access was gained by exploiting two known vulnerabilities in Cisco ASA and FTD- CVE-2025-20333 (A buffer overflow vulnerability that lets hackers crash the system or run malicious code), and CVE-2025-20362 (A missing authorization flaw that lets a user reach restricted areas without permission).

Attackers, then, deployed LINE VIPER, a post-exploitation implant to bypass authentication and set up illegitimate VPN sessions to control the network. FIRESTARTER was installed at this stage to serve as a backdoor. A specific sample of this malware was found on a compromised device under the filename lina_cs.

“FIRESTARTER is a Linux Executable and Linkable File (ELF) designed to execute on Cisco Firepower and Secure Firewall devices, serving as a C2 channel for remote access and control… CISA identified suspicious connections on one U.S. FCEB agency’s Cisco Firepower device running ASA software. CISA notified and validated the true positive finding with agency personnel and initiated a forensic engagement. During the engagement, CISA discovered one malware sample named FIRESTARTER on the Firepower device,” the report (PDF) reads.

This backdoor operates through inline hooking (a method where the malware…

Source

More Stories

Windows 10 Support Ended: 5 Options for Older PCs

Windows 10 Support Ended: 5 Options for Older PCs

Staff Editor 2026-06-05
Azure Linux 4.0 Preview Opens for Azure VM Customers

Azure Linux 4.0 Preview Opens for Azure VM Customers

Staff Editor 2026-06-05
Linux Falls Hard on Steam After Record 5% Milestone

Linux Falls Hard on Steam After Record 5% Milestone

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy