Alert Essentials
Nation-state actor UAT-4356 has deployed a persistent backdoor called FIRESTARTER on Cisco ASA and Firepower Threat Defense (FTD) devices, exploiting CVE-2025-20333 and CVE-2025-20362 — both CISA KEV-listed. Applying Cisco’s September 2025 patches does not remove an existing implant; FIRESTARTER survives firmware updates and reboots. A hard power cycle plus Cisco’s April 2026 FXOS-layer update is required for full eviction. Any ASA or FTD device with WebVPN enabled before September 26, 2025, should be treated as potentially compromised until verified clean.
Threat Description
UAT-4356 chained two vulnerabilities to achieve unauthenticated root-level code execution on target devices. CVE-2025-20362 (CWE-862) is a trivially exploitable path-traversal flaw in the WebVPN component that bypasses authentication and allows access to restricted URL endpoints. CVE-2025-20333 (CWE-120) is then triggered via crafted HTTPS requests to execute arbitrary code as root. A precursor implant, LINE VIPER, was deployed first, establishing unauthorized VPN sessions using dormant accounts and exfiltrating the full device configuration — including administrative credentials, certificates, and private keys before FIRESTARTER was installed as the persistence layer.
FIRESTARTER is a Linux ELF binary that manipulates the Cisco Service Platform (CSP) mount list in the FXOS base layer to persist across reboots. It hooks into LINA — the core network processing engine — by modifying an XML handler and injecting shellcode into memory. A covert trigger embedded in WebVPN request handling allows the actor to load and execute attacker-supplied payloads on demand without re-exploiting the original vulnerabilities. Active adversary re-access to compromised federal infrastructure was confirmed as recently as March 2026, seven months after initial exploitation.
Healthcare Impact
A compromised perimeter device undermines clinical network segmentation, exposing EHR systems, medical devices, and biomedical infrastructure to lateral movement that endpoint tools won’t detect. Stolen credentials and certificates from affected devices should be treated as fully compromised. If patient data was accessible through the breached segment, HIPAA breach notification obligations apply.
| CVE | Impacted Versions | Fix | CVSS | CWE | CISA KEV | Tenable Plugin |
|---|---|---|---|---|---|---|
| CVE-2025-20333 | ASA < 9.12.4.72, 9.14.4.28, 9.16.4.85, 9.17.1.45, 9.18.4.67, 9.19.1.42, 9.20.4.10, 9.22.2.14, 9.23.1.19; FTD < 7.0.8.1+ |
See Cisco advisory for fixed release by branch | 9.8 | CWE-120 | Yes — ED 25-03 | 265943 |
| CVE-2025-20362 | ASA < same branches above; FTD < same branches above |
See Cisco advisory for fixed release by branch | 7.5 | CWE-862 | Yes — ED 25-03 | 265966 |
Note: Devices with Secure Boot enabled are not affected by the FIRESTARTER persistence mechanism. Verify Secure Boot status per Cisco advisory.
Recommendations
Patching & Remediation
- Treat all internet-facing Cisco ASA and FTD devices that had WebVPN/AnyConnect enabled before September 26, 2025, as potentially compromised regardless of patch status.
- Apply the September 2025 patches for CVE-2025-20333 and CVE-2025-20362 if not already done, download fixed releases from Cisco’s Software Download portal at https://software.cisco.com/download/home. Do not stop here.
- Apply Cisco’s April 2026 FXOS-layer update targeting the FIRESTARTER persistence mechanism, specifically available via Cisco’s Security Advisory page at https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks.
- Perform a hard power cycle (physically unplug power) on all affected devices after patching; a standard reboot is insufficient to remove FIRESTARTER.
Detection / Compromise Assessment
- Run the CISA Core Dump and Hunt procedure on all in-scope devices before or immediately after a hard reset. Detailed steps and submission instructions are in CISA’s ED 25-03 update at https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices.
- Check for FIRESTARTER presence using Cisco CLI:
- show kernel process | include lina_cs — active output indicates compromise
- Apply CISA’s published YARA rules against disk images or core dumps — rules are included in the CISA Malware Analysis Report AR26-113A.
- Run Tenable plugins 265943 (CVE-2025-20333) and 265966 (CVE-2025-20362) against all ASA/FTD devices to confirm patch coverage.
Credential & Certificate Hygiene
- Rotate all credentials, VPN certificates, and private keys associated with any potentially compromised device LINE VIPER is designed specifically to exfiltrate this data.
- Audit dormant or unused VPN user accounts — LINE VIPER leveraged these to establish unauthorized sessions; remove or disable any accounts not actively in use.
Admin / Executive Recommendations
- If compromise is confirmed via core dump or CLI check, treat this as an active security incident. This triggers HIPAA breach analysis obligations and may require notification to HHS OCR within 60 days if patient data was accessible through the compromised segment.
- Inventory all Cisco ASA 5500-X Series and FTD hardware appliances running ASA or FTD software; CISA has expanded scope beyond the original ASA 5500-X Series to any device running affected software on FXOS-based hardware.
- Engage Cisco TAC for incident response support on confirmed compromises. Cisco has provided dedicated guidance and tooling for this campaign.
Reference Links
- CISA Malware Analysis Report AR26-113A (FIRESTARTER): https://www.cisa.gov/news-events/analysis-reports/ar26-113a
- CISA Emergency Directive V1 ED 25-03: https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
- Cisco Security Advisory — Continued Attacks Against Cisco Firewalls: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
- NVD — CVE-2025-20333: https://nvd.nist.gov/vuln/detail/CVE-2025-20333
- NVD — CVE-2025-20362: https://nvd.nist.gov/vuln/detail/CVE-2025-20362
- Tenable FAQ: CVE-2025-20333 / CVE-2025-20362: https://www.tenable.com/blog/cve-2025-20333-cve-2025-20362-faq-cisco-asa-ftd-zero-days-uat4356
- Rapid7 Root Cause Analysis: https://www.rapid7.com/blog/post/etr-cve-2025-20333-cve-2025-20362-cve-2025-20363-multiple-critical-vulnerabilities-affecting-cisco-products/
- Cisco Software Download Portal: https://software.cisco.com/download/home
- Tenable Plugin 265943 (CVE-2025-20333): https://www.tenable.com/plugins/nessus/265943
- Tenable Plugin 265966 (CVE-2025-20362): https://www.tenable.com/plugins/nessus/265966
From Fortified Health Security
Fortified Health Security is committed to maturing your healthcare organization’s cybersecurity posture. We will monitor and update this bulletin as the situation progresses.
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
Should you have any questions about this threat or any other issue you are facing, please reach out to us. We’re here to help you on your cybersecurity journey.
Email: connect@fortifiedhealthsecurity.com Phone: 615-600-4002