State-Sponsored Hackers Exploit Persistent Backdoor on Cisco Firewalls Despite Patches

U.S. and British cybersecurity authorities disclosed Thursday that a state-sponsored hacking group has embedded a custom backdoor on Cisco network security devices. The malware, which survives firmware updates and standard reboots, marks a significant escalation in a campaign targeting government and critical infrastructure networks since at least late 2025.

The Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) jointly published a malware analysis report identifying the backdoor, code-named Firestarter. Cisco’s threat intelligence division, Talos, attributed the malware to a threat actor it tracks as UAT-4356. The same group was previously linked to a 2024 espionage campaign called ArcaneDoor, which focused on compromising network perimeter devices.

CISA confirmed it discovered Firestarter on a U.S. federal civilian agency’s Cisco Firepower device after identifying suspicious connections through continuous network monitoring. The discovery prompted an updated emergency directive issued Thursday, requiring all federal civilian agencies to audit their Cisco firewall infrastructure and submit device memory snapshots for analysis by Friday.

How the Backdoor Evades Detection and Removal

The central concern driving the updated directive is the attack group’s ability to persist on compromised devices, even after enterprises applied security patches Cisco released in September 2025. Those patches addressed two vulnerabilities:

• CVE-2025-20333: A remote code execution flaw in the VPN web server component.
• CVE-2025-20362: An unauthorized access vulnerability.

UAT-4356 exploited these flaws to gain initial entry. According to CISA, devices compromised before patching may still harbor the implant.

Firestarter achieves persistence by manipulating the Cisco Service Platform mount list, a configuration file that governs which programs execute during the device’s boot sequence. When the device receives a termination signal or enters a reboot, the malware copies itself to a secondary location and rewrites the mount list to restore and relaunch itself after the system comes back online. Critically, a standard software reboot does not remove the implant. Only a hard reboot—physically disconnecting the device from its power supply—is sufficient to clear the persistence mechanism from memory, according to both CISA and Cisco.

From there, the malware injects malicious shellcode into LINA, the core networking and firewalling code of Cisco’s Adaptive Security Appliance and Firepower Threat Defense software. Once embedded, the malware intercepts a specific type of network request normally used for VPN authentication. When a request arrives containing a hidden trigger sequence, it executes code supplied by the attackers, giving them a backdoor into the device.

Connections to Ongoing Cyber Espionage Campaign

Cisco Talos noted that Firestarter shares significant technical similarities with a previously documented implant called RayInitiator, suggesting the tools share a common origin or development history within UAT-4356’s arsenal.

In the federal agency incident analyzed by CISA, the attackers first deployed a separate implant, called Line Viper, to gain access to device configurations, credentials, and encryption keys. Firestarter was installed shortly after, prior to Cisco’s September 2025 patches being applied to those specific devices. When the agency patched its systems, Firestarter remained on the devices, and the actors used it to redeploy additional malicious payloads.