A state-sponsored threat actor tracked as UAT-4356 is actively targeting Cisco Firepower devices, exploiting two known vulnerabilities to gain unauthorized access and deploy a sophisticated custom FIRESTARTER backdoor.
Cisco Talos researchers have confirmed the campaign, warning that the implant achieves deep persistence within the device’s core processes.
Two n-Day Vulnerabilities Under Active Exploitation
The campaign abuses two n-day flaws in Cisco’s Firepower eXtensible Operating System (FXOS), specifically within the VPN web server component:
- CVE-2025-20362 — An authentication bypass flaw allowing unauthenticated remote attackers to access restricted URL endpoints without credentials
- CVE-2025-20333 — A buffer overflow vulnerability enabling remote authenticated attackers to execute arbitrary code as root
Together, these flaws create a chained attack path: the first vulnerability provides initial access, while the second enables full root-level code execution.
Once inside, UAT-4356 installs the FIRESTARTER implant deep within the device’s LINA process, the core component of Cisco Firepower’s data plane.
The implant injects malicious shellcode directly into LINA’s memory by hijacking a legitimate WebVPN XML handler function, replacing its pointer with a malicious Stage 2 shellcode address.
When a specially crafted WebVPN request arrives carrying custom magic-byte prefixes, the backdoor executes the embedded payload entirely in memory, making detection significantly harder.
FIRESTARTER processes XML-based payloads through endpoint APIs, a technique that suggests shared tooling or development infrastructure between threat actors.
For persistence, UAT-4356 manipulates Cisco’s CSP_MOUNT_LIST a configuration controlling programs executed at boot to relaunch FIRESTARTER after a graceful reboot.
The implant writes itself to /opt/cisco/platform/logs/var/log/svc_samcore.log and copies itself back to /usr/bin/lina_cs upon each restart.
Notably, a hard power cycle completely removes the implant, according to Cisco, as the persistence mechanism does not survive a full power loss.
Detection Artifacts
Defenders should inspect Firepower devices for the following indicators of compromise:
- Suspicious files at
/usr/bin/lina_csand/opt/cisco/platform/logs/var/log/svc_samcore.log - Output from:
show kernel process | include lina_cs - ClamAV signature:
Unix.Malware.Generic-10059965-0 - Snort rules: 62949 (FIRESTARTER), 65340, and 46897 (CVE-2025-20333 and CVE-2025-20362)
In early 2024, Cisco Talos linked this group to ArcaneDoor, a sophisticated state-sponsored espionage campaign that targeted perimeter network devices globally.
The group’s continued focus on Cisco infrastructure signals a deliberate, long-term strategy to establish persistent footholds within critical network environments.
Mitigation:
Cisco urges organizations to take immediate action:
- Apply all applicable software upgrades outlined in Cisco’s Security Advisory
- Reimage affected devices to eliminate a FIRESTARTER infection fully
- On FTD devices not in lockdown mode, kill the
lina_csprocess and reload the device - Review CISA’s Emergency Directive ED 25-03 for additional compromise indicators.
- Open a Cisco TAC support request if a compromise is suspected
- Download the latest Snort Subscriber Rule Set from Snort.org for full vulnerability coverage
Security teams should treat any Cisco Firepower anomaly as a high-priority incident. Perimeter network devices remain a prime target for state-sponsored actors precisely because they sit at the edge of enterprise defenses, are often under-monitored, and are highly privileged.
No Comment! Be the first one.