Key Findings FIRESTARTER backdoor compromised a U.S. federal Cisco Firepower ASA device in September 2025 and persisted even after security patches were applied The malware survives firmware updates and device reboots by embedding itself in the boot sequence, requiring a hard power cycle to remove APT actors exploited CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5) to gain initial access before deploying FIRESTARTER for persistence Post-exploitation toolkit LINE VIPER
