"FIRESTARTER can persist as an active threat on Cisco devices running ASA or Firepower Threat Defense (FTD) software, maintaining post-patching persistence and enabling threat actors to re-access compromised devices without re-exploiting vulnerabilities."
"The elevated access afforded by LINE VIPER served as a conduit for FIRESTARTER, which was deployed on the Firepower device before September 25, 2025, allowing the threat actors to maintain continued access."
In September 2025, a federal civilian agency's Cisco Firepower device was compromised by FIRESTARTER malware, which serves as a backdoor for remote access. This incident is linked to a widespread campaign by an advanced persistent threat actor exploiting vulnerabilities in Cisco's Adaptive Security Appliance software. Two critical vulnerabilities, CVE-2025-20333 and CVE-2025-20362, were exploited to gain unauthorized access. The threat actors utilized a post-exploitation toolkit called LINE VIPER to maintain access and execute commands, allowing continued control over the compromised device even after patches were applied.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]