If you manage Cisco ASA, Firepower, or Secure Firewall anywhere in your environment, this one demands your immediate attention.
On April 23, 2026, CISA published Analysis Report AR26-113A, a malware analysis report on a backdoor known as FIRESTARTER. The report — issued jointly with the UK’s National Cyber Security Centre — confirms that at least one U.S. federal agency was compromised through a Cisco Firepower device, and that the attackers used FIRESTARTER to maintain persistent access even after the device was patched and rebooted. CISA has urged every organization running Cisco Secure Firewall ASA or Firepower Threat Defense (FTD) software to assess exposure now.
This isn’t a brand-new vulnerability story — the underlying CVEs have been in CISA’s Known Exploited Vulnerabilities (KEV) catalog since September 25, 2025. What’s new is the depth of evidence about how the ArcaneDoor threat actor (tracked by Cisco Talos as UAT-4356) is operating after initial exploitation, and just how persistent their foothold is.
What Happened — and Why the Urgency
This story has been building for a while, and it’s worth understanding the arc.
In September 2025, Cisco disclosed two zero-day vulnerabilities being actively exploited against Cisco Secure Firewall ASA and FTD platforms:
- CVE-2025-20333 — a buffer overflow (CWE-120) in the VPN web server that enables remote code execution with valid VPN credentials. CVSS v3.1: 9.9.
- CVE-2025-20362 — a missing authorization flaw (CWE-862) that lets an unauthenticated attacker reach URL endpoints that should require authentication. CVSS v3.1: 6.5.
Chained together, these two CVEs give an unauthenticated attacker remote code execution on the firewall. CISA added both to the KEV catalog and issued Emergency Directive ED 25-03 on September 25, 2025, giving FCEB agencies just 24 hours to identify, assess, and mitigate compromise on Cisco devices.
Most teams I talked to at the time treated this as a patch-and-move-on event. Apply the fixed software release, reboot, done. AR26-113A is the report that says: that wasn’t enough.
The key finding in AR26-113A is the persistence mechanism. FIRESTARTER is a Linux ELF backdoor that hooks into LINA — the core process inside Cisco ASA / FTD that handles network and security functions — and installs itself in a way that survives firmware updates and standard reboots. The malware uses signal-handler tricks and manipulates the Cisco Service Platform mount list (CSP_MOUNT_LIST) so that any attempt to terminate it triggers re-execution. According to CISA and Cisco, the only reliable way to clear the implant from a compromised device is a hard power cycle combined with a clean reimage to fixed software.
In the incident analyzed in AR26-113A, the attackers initially deployed a separate post-exploitation implant called LINE VIPER (capable of executing CLI commands, capturing packets, bypassing VPN AAA, suppressing syslog, harvesting administrator commands, and forcing delayed reboots), and then dropped FIRESTARTER as the long-term foothold. LINE VIPER was used to re-establish access as recently as March 2026 — six months after the original CVEs were patched.
That’s the part that should make every Cisco firewall owner pause. Patching the CVE didn’t necessarily close the door for organizations that were already compromised.
Who Is Affected
The underlying vulnerabilities cover an unusually wide swath of Cisco’s firewall portfolio:
| Software | Affected Versions | First Fixed Version |
| Cisco ASA 9.12 | < 9.12.4.72 | 9.12.4.72 |
| Cisco ASA 9.14 | < 9.14.4.28 | 9.14.4.28 |
| Cisco ASA 9.16 | < 9.16.4.85 | 9.16.4.85 |
| Cisco ASA 9.17 | < 9.17.1.45 | 9.17.1.45 |
| Cisco ASA 9.18 | < 9.18.4.67 | 9.18.4.67 |
| Cisco ASA 9.19 | < 9.19.1.42 | 9.19.1.42 |
| Cisco ASA 9.20 | < 9.20.4.10 | 9.20.4.10 |
| Cisco ASA 9.22 | < 9.22.2.14 | 9.22.2.14 |
| Cisco ASA 9.23 | < 9.23.1.19 | 9.23.1.19 |
| Cisco FTD 7.0+ | see Cisco advisory | per advisory |
For the authoritative version matrix and platform applicability (including which hardware models support upgrade paths to fixed releases), refer directly to the Cisco Security Advisory.
Important detail: CVE-2025-20362 is only reachable when VPN web services are enabled, and CVE-2025-20333 requires the WebVPN/AnyConnect interface to be exposed. If your Cisco firewalls are running ASA/FTD purely for L3/L4 enforcement without any VPN web services configured, the network-facing attack vector is reduced. But in my experience, very few large environments have a clean, real-time answer to “which of our ASA/FTD devices have AnyConnect/WebVPN enabled, and which of those are reachable from the internet?” That’s exactly where things get complicated.
What CISA Is Recommending
AR26-113A is technically a Malware Analysis Report (TLP:CLEAR), not a binding directive — but the recommendations are unambiguous:
- Upgrade to a fixed software release of ASA or FTD. Cisco assesses with high confidence that doing so breaks the threat actor’s current attack chain.
- Hunt for FIRESTARTER on every Cisco ASA / FTD / Firepower device you operate. The strongest indicator on a live device is the presence of a lina_cs process — administrators can run show kernel process | include lina_cs to check. Filenames like lina_cs and svc_samcore.log are also somewhat brittle but useful artifacts.
- Apply the YARA rules published in the AR26-113A package to disk images and core dumps. Memory analysis is the primary high-confidence detection method.
- If compromise is confirmed, do not assume a software upgrade alone will remediate. A hard power cycle plus reimage to fixed code is the guidance.
- Report any confirmed activity to CISA.
Even for organizations outside the federal government, this is the clearest public signal yet that ArcaneDoor’s operations are still active in 2026 and that the playbook now includes persistence mechanisms designed to outlast standard remediation.
How Forward Enterprise Can Help
This is exactly the kind of situation where network visibility becomes operationally critical — not just nice to have. There are really three problems to solve at once: find the vulnerable devices, understand which of them are actually reachable by an attacker, and prove they were remediated. Here’s how I’ve seen Forward Enterprise help teams move on all three at the same time:
1. Find Every Affected Device — Instantly, with Context
Forward Enterprise’s network digital twin continuously collects configuration and state from every device in your environment and cross-references it against the NIST NVD and vendor-specific advisories. When a KEV entry like CVE-2025-20333 / CVE-2025-20362 lands, Forward has already done the analysis — what you need is a way to surface the results and act on them quickly.
To that end, here’s an NQE query you can drop directly into Forward Enterprise to identify any device flagged as vulnerable to either of the two CVEs at the heart of AR26-113A. The query embeds the CISA KEV catalog entries — including required action, due date, and the relevant Cisco / CISA advisory links — so everything your team needs to triage and report is in one place:
/*
Find Cisco ASA / FTD / Firepower devices susceptible to CVE-2025-20333 and
CVE-2025-20362, the two CVEs at the heart of CISA AR26-113A (FIRESTARTER backdoor).
While the directive is written for federal agencies, the threat is relevant to
any organization running Cisco Secure Firewall ASA or FTD software.
Organizations should use the CISA Binding Operational Directive 22-01 catalog
as an input to their vulnerability management prioritization framework.
More info: https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities
AR26-113A: https://www.cisa.gov/news-events/analysis-reports/ar26-113a
*/
ASARCE =
"""json
[{
"title": "Cisco ASA / FTD Vulnerabilities Exploited in ArcaneDoor / FIRESTARTER Campaign",
"vulnerabilities": [
{
"cveID": "CVE-2025-20333",
"vendorProject": "Cisco",
"product": "Adaptive Security Appliance and Firepower Threat Defense",
"vulnerabilityName": "Cisco ASA and FTD Software Buffer Overflow Vulnerability",
"dateAdded": "2025-09-25",
"shortDescription": "Cisco ASA and FTD contain a buffer overflow vulnerability in the VPN web server that could allow an authenticated remote attacker to execute arbitrary code on the affected device.",
"requiredAction": "Apply mitigations per ED 25-03 and vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"dueDate": "2025-09-26",
"knownRansomwareCampaignUse": "Unknown",
"notes": "Exploited as a zero-day in conjunction with CVE-2025-20362 by UAT-4356 / ArcaneDoor. See https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03 ; https://www.cisa.gov/news-events/analysis-reports/ar26-113a ; https://nvd.nist.gov/vuln/detail/CVE-2025-20333",
"cwes": ["CWE-120"]
},
{
"cveID": "CVE-2025-20362",
"vendorProject": "Cisco",
"product": "Adaptive Security Appliance and Firepower Threat Defense",
"vulnerabilityName": "Cisco ASA and FTD Software Missing Authorization Vulnerability",
"dateAdded": "2025-09-25",
"shortDescription": "Cisco ASA and FTD contain a missing authorization vulnerability that could allow an unauthenticated remote attacker to access restricted URL endpoints.",
"requiredAction": "Apply mitigations per ED 25-03 and vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"dueDate": "2025-09-26",
"knownRansomwareCampaignUse": "Unknown",
"notes": "Exploited as a zero-day in conjunction with CVE-2025-20333 by UAT-4356 / ArcaneDoor. See https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03 ; https://www.cisa.gov/news-events/analysis-reports/ar26-113a ; https://nvd.nist.gov/vuln/detail/CVE-2025-20362",
"cwes": ["CWE-862"]
}
]
}]
""";
getAllASARCE =
foreach r in ASARCE
foreach vuln in r.vulnerabilities
select vuln.cveID;
getASARCEAttr(NistCve) =
foreach r in ASARCE
foreach vuln in r.vulnerabilities
where matches(vuln.cveID, NistCve)
select {
ASARCEAttrId: vuln.cveID,
ASARCEAttrName: vuln.vulnerabilityName,
ASARCEAttrAction: vuln.requiredAction,
ASARCEAttrRansom: if vuln.knownRansomwareCampaignUse == "Known"
then true
else false,
ASARCEAttrNotes: vuln.notes,
ASARCEAttrDue: vuln.dueDate,
ASARCEAttrVendor: vuln.vendorProject,
ASARCEAttrProd: vuln.product
};
getImpactingCves(device) =
foreach cveFinding in device.cveFindings
where cveFinding.isVulnerable
select cveFinding;
getByBasis(impactingCves, basis) =
foreach cveFinding in impactingCves
where cveFinding.basis == basis
select cveFinding.cveId;
foreach device in network.devices
let impactingCves = getImpactingCves(device)
foreach deviceCVE in impactingCves
let ASARCEResult = getASARCEAttr(deviceCVE.cveId)
foreach i in ASARCEResult
where matches(i.ASARCEAttrId, deviceCVE.cveId)
select {
violation: true,
Device: device.name,
NistCVE: deviceCVE.cveId,
Basis: deviceCVE.basis,
ASARCEId: i.ASARCEAttrId,
ASARCEName: i.ASARCEAttrName,
Remedy: i.ASARCEAttrAction,
KnownRansomWare: i.ASARCEAttrRansom,
Notes: i.ASARCEAttrNotes,
ASARCEVendor: i.ASARCEAttrVendor,
ASARCEProd: i.ASARCEAttrProd
}A few things worth noting about how this works. Rather than doing a raw version string comparison, the query reads from device.cveFindings — Forward Enterprise’s own CVE analysis layer, which already accounts for device OS version, enabled features, and vendor-specific advisory data beyond what’s in the NIST NVD alone. That means the isVulnerable flag it filters on reflects a more accurate determination of actual exposure, not just whether a device’s version number falls within a vulnerable range. The Basis field in the output will tell you how that determination was made, which is useful when explaining findings to stakeholders or auditors.
The results surface each vulnerable device alongside the CVE ID, required remediation action, due date, ransomware association status, and the Cisco / CISA advisory links — everything you need to kick off a remediation workflow without pivoting between tools.
2. Prioritize by Real Exposure, Not Just Version
Because CVE-2025-20362 only matters when VPN web services are exposed, and CVE-2025-20333 requires WebVPN/AnyConnect to be reachable, you need more than a version check — you need a configuration-aware determination of risk. Forward’s enhanced CVE analysis already factors in whether the relevant features are enabled, which means the query above is returning devices with actual exposure, not just version matches.
For environments running ASA/FTD purely as L3/L4 firewalls with VPN services disabled, that distinction is the difference between an emergency and a planned maintenance window.
3. Validate Network Exposure and Attack Paths
Knowing a device is vulnerable is one thing. Understanding whether attackers on the internet can actually reach the WebVPN service is another. Forward Enterprise’s path analysis lets you model reachability to your ASA/FTD WebVPN endpoints from external segments, so you can quickly answer: “Is this vulnerable device internet-exposed, or is it protected behind other controls?”
That context matters enormously when you’re triaging a hunt-and-remediate operation against an active campaign and can’t reimage everything simultaneously. Internet-reachable devices with WebVPN enabled go to the front of the queue.
4. Confirm Remediation and Track Compliance Over Time
Once patches are applied — and, where required, devices are reimaged after a hard power cycle — Forward Enterprise gives you verifiable evidence that every ASA/FTD device has been updated to a fixed software release. You can set up a continuous compliance check that flags any Cisco firewall still running a vulnerable version, including devices that get re-deployed, swapped in from spares, or missed in the initial remediation sweep.
This is especially valuable for teams that need to report remediation status to leadership or auditors in the wake of a CISA directive, and even more so when the threat involves a backdoor that can survive standard upgrades.
My Take
What strikes me about AR26-113A is how cleanly it illustrates a problem we talk about a lot at Forward: the gap between “the CVE is patched” and “we know we’re not compromised — and we can prove it.” Plenty of organizations applied the September 2025 fixes within days of ED 25-03 dropping. They were doing the right thing. AR26-113A is the report that says: the right thing wasn’t sufficient on its own, because the threat actor’s persistence technique sat below the layer most patching workflows touch.
That’s not a failure of those security teams. It’s a structural problem with how vulnerability and threat intelligence propagates — initial advisories rarely capture the full attacker tradecraft, and supplementary intelligence often arrives months later. The answer isn’t to manually re-audit your environment every time a CISA report drops; it’s to have a continuously updated, queryable model of your network that lets you ask, on demand: which of my devices were ever vulnerable, which of them were internet-reachable while vulnerable, and which of them are running a clean image now?
If you’re working through your response to AR26-113A and want to talk through how Forward Enterprise can help you find affected Cisco devices, model exposure, or track remediation, feel free to reply here or reach out directly.
