Security researchers have discovered a chilling backdoor aimed at Cisco System firewalls that exploits unpatched vulnerabilities to maintain persistence, even after patching. This means that attackers can continue to access compromised devices without re-exploiting the holes.At risk are devices running Cisco ASA or Firepower software, including certain Firepower and Secure Firewall devices. So far, however, the US Cybersecurity and Infrastructure Security Agency (CISA) has only seen a successful implant of the malware, dubbed Firestarter, in the wild on a Cisco Firepower device running ASA software.In a joint warning, CISA and the UK’s National Cyber Security Centre urge organizations to look for signs of compromise. To do so, generate a core dump and use recommended YARA rules to detect Firestarter malware. The YARA rules can also be run against a disk image.If there is a compromise, unplug the device from all power sources, including backup power, for one minute, reconnect power, and reboot.“It is not sufficient to power the device off or reboot it,” said the joint advisory. “The device must be entirely removed from all power sources, including duplicate power sources created for redundancy.”A Firestarter infection may also be erased by reimaging the devices, it said. In a separate advisory, Cisco’s Talos threat intelligence service said a group it calls UAT-4356 is behind Firestarter, as part of its continued targeting of Firepower devices. Other researchers call the group Storm-1849, and identify the campaign targeting networking devices from Cisco and other vendors as ArcaneDoor, dating back to 2023.Critical failure in ‘patch and forget’ mentalityCISA believes threat actors compromised Cisco firewalls by exploiting CVE-2025-20333 and/or CVE-2025-20362 early last September, before patches to plug these holes were released.In the example analyzed by the CISA, the hacker then deployed the LineViper shellcode loader to install a VPN that the threat actor could use to access all configuration elements of the compromised Firepower device, including administrative credentials and certificates and private keys. Then the Firestarter backdoor was added and used to link to a command and control server, which allowed the backdoor to persist even after patching. All this happened before patches to the two vulnerabilities were issued.Firestarter achieves persistence by detecting termination signals and relaunching itself, which is how it can survive firmware updates and device reboots unless a hard power cycle occurs.“The Firestarter malware represents a critical failure in the ‘patch and forget’ mentality of modern network security,” said IT analyst Rob Enderle of the Enderle Group.“What makes this attack particularly unusual is its technical resilience and anti-forensic capabilities,” he said. “The malware registers callback functions for termination signals like SIGTERM or SIGHUP, which allows it to automatically relaunch if an admin tries to kill the process. It deep-dives into the LINA engine’s virtual memory to hook the C++ standard library, intercepting WebVPN requests to trigger its payload. By using ‘time stomping’ to mask its file presence and redirecting errors to /dev/null, it remains nearly invisible to traditional discovery tools.”He underscored the CISA and Cisco advice that to mitigate damage, an infected device must be physically disconnected from all power sources, including redundant ones, for at least one minute. This ‘cold start’ clears the volatile memory where the malware resides and disrupts its boot-time persistence. In addition, Enderle said, network admins should modernize administrative controls by using the TACACS+ (Terminal Access Controller Access-Control System) protocol over TLS 1.3 for access control and authentication of users to network devices like routers, switches, and firewalls.TACACS+ generally uses a dedicated TCP port, Enderle said, so any firewall rules will need to be updated to take that into account. Cisco devices will probably need the ISE 3.4 patch (or later) to assure that Identity Services Engine supports this protocol. Similarly, other vendors’ guidance should be consulted before switching to TACACS+ to assure interoperability.Admins should also strictly audit legacy accounts, which he said are often the path of least resistance for threat actors, to prevent lateral movement.Cisco devices affected by the Firestarter malware include the Firepower 1000, 2100, 4100, 9300, 1200, 3100 and 4200 Series firewalls, as well as the Secure Firewall 1200, 3100 and 4200 series.