Exploitation of Cisco Firepower Devices by State-Sponsored Actor UAT-4356
A state-sponsored threat actor, identified as UAT-4356, has recently been reported to actively exploit established vulnerabilities in Cisco Firepower devices. The group utilizes a sophisticated custom backdoor, specifically designed to circumvent existing security measures, thereby posing a considerable threat to cybersecurity.
The vulnerabilities being exploited are classified as n-day vulnerabilities—CVE-2025-20333 and CVE-2025-20362. These flaws impact Cisco’s Firepower eXtensible Operating System (FXOS). UAT-4356’s tactics reveal a strategic preference for targeting systems that have not yet been patched, even when patches exist for known vulnerabilities. This approach allows them to gain unauthorized access without the need for zero-day exploits, thereby increasing their chances of successfully infiltrating vulnerable devices across various networks.
UAT-4356 has previously been linked to an espionage initiative known as ArcaneDoor, which was uncovered in early 2024. This widespread campaign aimed at global network perimeter devices, accentuating the risk posed by state-sponsored cyber threats. Once UAT-4356 successfully infiltrates a device, they deploy a custom implant designated as FIRESTARTER, as detailed in a recent threat advisory published by Cisco Talos on April 23, 2026.
FIRESTARTER operates by injecting malicious shellcode directly into the LINA process, a core component of Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) appliances. The implant manipulates a legitimate WebVPN XML handler function residing in LINA’s memory, replacing it with a malicious Stage 2 shellcode handler. This manipulation allows for remote code execution on the compromised hardware—a capability that could enable the threat actor to execute commands discreetly and continue their nefarious activities unnoticed.
When the compromised device receives a specially crafted WebVPN request that contains predetermined magic bytes, the embedded shellcode activated silently within memory, leading to a stealthy deployment of the backdoor. Regular traffic that does not include these magic bytes is passed to the legitimate handler, disguising the presence of FIRESTARTER during typical operational procedures.
Security researchers have noted significant technical similarities between FIRESTARTER and the Stage 3 shellcode associated with another threat group known as RayInitiator. This overlap suggests the potential use of shared development resources or infrastructure among various advanced threat actors, highlighting how interconnected and collaborative these cybercriminal enterprises can be.
The design of FIRESTARTER also includes a cunning persistence mechanism. It alters Cisco’s CSP_MOUNT_LIST—a configuration setting that dictates commands executed during device boot—ensuring its re-execution through graceful reboots. Specifically, should the device undergo a restart, FIRESTARTER autonomously copies itself to the file path /opt/cisco/platform/logs/var/log/svc_samcore.log, and proceeds to re-execute from the /usr/bin/lina_cs directory. It’s noteworthy that only a hard power reboot, such as physically disconnecting the device from power, can eliminate the implant, as the persistence mechanism is not equipped to endure such abrupt power loss.
Cisco advises network administrators to monitor their Firepower devices for specific warning signs that may indicate compromise. These signs include suspicious files located at /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log, unusual output from the command show kernel process | include lina_cs, and alerts from security software like ClamAV, which has signatures to detect embedded threats. Additionally, Snort rules 62949, 65340, and 46897 provide essential coverage for FIRESTARTER and related vulnerabilities.
The technology giant strongly recommends that organizations implement the latest software upgrades outlined in their official security advisory. Devices found to be infected can be cleansed through various means, including complete reimaging or, for non-lockdown FTD systems, terminating the lina_cs process and reloading the device.
To further bolster cybersecurity measures, the Cybersecurity and Infrastructure Security Agency (CISA) has also issued Emergency Directive ED 25-03, which offers additional remediation instructions tailored for affected federal and enterprise environments.
As cyber threats evolve, organizations are urged to remain vigilant and proactive in their response to such state-sponsored threats. Continuous monitoring, immediate patching of known vulnerabilities, and adherence to security advisories will significantly enhance defenses against advanced persistent threats like UAT-4356.