Firestarter is a persistent backdoor malware deployed through exploitation of Cisco Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) zero-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) linked to the ArcaneDoor espionage campaign by a China-linked state-sponsored actor (UAT-4356). The malware hooks into Lina, the firewall's core network processing engine, enabling execution of arbitrary shell code and remote control. It achieves persistence by modifying the Cisco Service Platform mount list to execute during boot but removes itself after a reboot, allowing removal via a hard power cycle. Despite Cisco's patches for the vulnerabilities, infected devices remain compromised until the malware is manually removed. CISA mandates federal agencies to upload core dumps for analysis and perform hard resets by specified deadlines to ensure removal.

The malware provides attackers with remote access and control over infected Cisco firewall devices, enabling espionage activities. It maintains persistence through firmware patches, meaning that patched devices infected prior to remediation remain compromised. This undermines the firewall's security functions and potentially exposes sensitive federal agency network traffic and infrastructure to state-sponsored espionage. The impact is significant for affected federal agencies relying on these firewall models, as infection compromises device integrity and network security.

Cisco has released patches for the exploited vulnerabilities (CVE-2025-20333 and CVE-2025-20362), which federal agencies must apply immediately. However, patching alone does not remove the Firestarter backdoor. Agencies must upload device core dumps to the Malware Next Gen portal for compromise verification and notify CISA if infected. The malware can be removed by performing a hard reboot (power cycling) of the device, which restores the original boot configuration and removes the trojanized components. CISA's Emergency Directive 25-03 mandates these actions with deadlines for patching, verification, and hard resets. Following CISA's updated guidance is critical to fully remediate the threat.