When most people think about government-level cyberattacks, they assume the lesson is simple: keep your software patched. But a recent disclosure from CISA is challenging that assumption in a big way — and the implications reach well beyond federal agencies.
What Happened
In September 2025, an unnamed U.S. federal civilian agency discovered that its Cisco Firepower device — running Adaptive Security Appliance (ASA) software — had been compromised by a sophisticated backdoor called FIRESTARTER. What made this especially alarming: the malware persisted even after security patches were applied.
CISA and the UK's National Cyber Security Centre (NCSC) jointly assessed that FIRESTARTER is part of a "widespread" campaign by an advanced persistent threat (APT) actor — the kind of highly organized, well-resourced attacker typically associated with nation-state espionage.
The attackers exploited two now-patched vulnerabilities in Cisco ASA firmware:
- CVE-2025-20333 (CVSS score: 9.9) — allowed an authenticated remote attacker with valid VPN credentials to execute arbitrary code as root by sending crafted HTTP requests.
- CVE-2025-20362 (CVSS score: 6.5) — allowed an unauthenticated remote attacker to access restricted URL endpoints by sending crafted HTTP requests.
But patching those flaws didn't solve the problem. As The Hacker News reported, devices compromised before patching may remain vulnerable because FIRESTARTER is not removed by firmware updates.
How FIRESTARTER Actually Works
FIRESTARTER is a Linux ELF binary — a type of executable that runs natively on Linux-based systems like those powering Cisco's network appliances. What makes it uniquely dangerous is how deeply it embeds itself.
According to CISA's malware analysis report, the malware installs itself into the device's boot sequence by manipulating a startup mount list, ensuring it reactivates every time the device reboots normally. It intercepts termination signals so it can't simply be killed like a normal process.
The malware goes further by hooking into LINA — Cisco's core engine for network processing and security functions — allowing it to intercept XML handling and execute attacker-supplied shellcode. It also only activates its payload after verifying victim-specific identifiers embedded in WebVPN traffic, making it extremely targeted and hard to detect through generic scans.
Perhaps most troubling: Security Affairs notes that the attackers initially deployed a separate post-exploitation toolkit called LINE VIPER, which could execute CLI commands, capture network packets, suppress syslog messages, bypass VPN authentication, and harvest user commands. FIRESTARTER was then deployed on top of LINE VIPER as a persistence mechanism — essentially a backdoor to the backdoor.
The only reliable fix? A full hardware reimaging and cold restart — literally pulling the power cord. As Cisco noted, "The shutdown, reboot, and reload CLI commands will not clear the malicious persistent implant, the power cord must be pulled out and plugged back in the device."
Why This Matters for Small Businesses
You might be thinking: We're not a federal agency. We don't run Cisco Firepower hardware. Why does this matter to us?
The lesson here isn't about Cisco specifically — it's about the dangerous assumption that patching equals protection.
Small businesses across Yuba City and everywhere else often rely on network edge devices — firewalls, VPN appliances, routers — as their primary line of defense. Many of these devices get configured once and then largely forgotten. Patches might get applied when prompted, but active monitoring? Forensic audits? Rarely.
This attack illustrates a pattern that Check Point Software's threat intelligence group manager Sergey Shykevich described plainly: network perimeter devices "are infrequently patched, and offer a persistent, low-visibility foothold into compromised environments." Even for a federal agency with dedicated security teams, it took proactive continuous monitoring to detect FIRESTARTER in the first place.
For small businesses, this translates into a few concrete takeaways:
1. Patch, But Don't Stop There
Applying firmware updates is necessary — but as this incident proves, it isn't sufficient if a device was compromised before patching. You need to know the state of your devices before and after updates.
2. Inventory Your Network Edge Devices
CISA specifically recommends inventorying network edge devices, especially Cisco systems, and monitoring for suspicious activity. Do you know every device sitting on the perimeter of your network? Many small businesses don't have a current, accurate picture.
3. Assume Breach Mentality for Network Appliances
If any of your network devices have been exposed to the internet — and virtually all firewalls and VPN appliances are — they need to be treated as potentially compromised, not just potentially vulnerable. Behavioral monitoring, log review, and periodic audits matter.
4. Least Privilege and Strong Access Controls
CISA recommends auditing privileged accounts, enforcing least privilege, rotating passwords regularly, and using secure protocols like TACACS+ over TLS 1.3. Even without enterprise-grade gear, the principle applies: limit who can access what, and review it regularly.
5. A Reboot Isn't a Reset
Most business owners assume rebooting a device clears problems. FIRESTARTER proves that sophisticated malware can survive reboots — and in this case, even firmware flashes. If you suspect compromise, normal restart procedures may do nothing.
What Should You Do Now
If your business uses Cisco ASA or Firepower devices, follow Cisco's advisory guidance and consider initiating a TAC (Technical Assistance Center) request for support. CISA has also published YARA detection rules specifically for identifying FIRESTARTER in disk images or core dumps.
More broadly, this is a good time to revisit whether your network security appliances are actively monitored — not just updated. Passive patch management is no longer enough when attackers are building tools specifically designed to survive it.
If you're unsure about the security posture of your business network or need help evaluating what's running on your perimeter, we're happy to take a look. Our /business IT services include network security assessments for small businesses that want real visibility, not just the comfort of a patched firmware version number.
The FIRESTARTER incident is a stark reminder: in modern cybersecurity, detection and continuous monitoring are just as important as patching. The attackers aren't stopping at the front door anymore — they're building hidden rooms inside the walls.
