Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Patches Windows 11 OOBE Flaw in Cumulative Update
July 5, 2026
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Home/CyberSecurity News/Critical Cisco Firepower Vulnerabilities Exploited by Attackers
CyberSecurity News

Critical Cisco Firepower Vulnerabilities Exploited by Attackers

Key Takeaways A state-sponsored threat group, UAT-4356, is actively exploiting Cisco Firepower devices. The attackers chain two n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to deploy a...

David kimber
David kimber
April 25, 2026 3 Min Read
44 0

Key Takeaways

  • A state-sponsored threat group, UAT-4356, is actively exploiting Cisco Firepower devices.
  • The attackers chain two n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to deploy a sophisticated backdoor named “FIRESTARTER.”
  • FIRESTARTER provides unauthorized remote control and persistence across reboots by altering the device’s boot sequence.
  • The compromise affects Cisco ASA and FTD appliances running Firepower Extensible Operating System (FXOS).
  • Cisco Talos has provided detection and mitigation steps, including reimaging affected devices and applying security updates.

State-sponsored threat actors are actively targeting Cisco Firepower network devices, leveraging a chain of known vulnerabilities to install a highly customized and persistent backdoor. The campaign, attributed to the espionage-focused group UAT-4356, enables attackers to gain deep unauthorized control over compromised networks.

Table Of Content

  • Key Takeaways
  • Malicious Payload Execution and Persistence
  • What You Should Do

Cisco Talos researchers recently uncovered that UAT-4356 is exploiting two n-day vulnerabilities, identified as CVE-2025-20333 and CVE-2025-20362, to infiltrate environments running Firepower Extensible Operating System (FXOS). This infiltration facilitates the deployment of their advanced implant, “FIRESTARTER.”

UAT-4356 is a group with a history of sophisticated operations, notably orchestrating the “ArcaneDoor” campaign. That prior campaign also focused on compromising network perimeter devices for widespread espionage activities.

In this latest offensive, after gaining initial access, the attackers proceed to install FIRESTARTER. This advanced implant provides persistent, unauthorized remote control over the compromised network infrastructure.

The FIRESTARTER backdoor embeds itself deeply within critical components of Cisco’s ASA and FTD appliances. Specifically, it targets the LINA process, enabling the threat actors to execute arbitrary shellcode directly within the device’s memory.

Malicious Payload Execution and Persistence

To establish a persistent foothold, UAT-4356 manipulates the device’s boot sequence by modifying the Cisco Service Platform mount list. Intriguingly, this persistence mechanism is transient, activating only during a graceful system reboot.

When the device processes a standard termination signal, FIRESTARTER copies itself to a backup log file. It then updates the mount list to ensure its re-execution upon restart.

Once the malicious payload restarts, it performs cleanup operations by restoring the original mount list and deleting any temporary files, thereby attempting to cover its tracks.

Due to the malware’s reliance on specific runlevel states, administrators can completely remove the implant by performing a hard reboot, such as physically disconnecting the hardware from its power source.

During the infection phase, FIRESTARTER meticulously scans the LINA process’s memory for specific byte markers and an executable memory range associated with the shared library framework.

Upon identifying the appropriate memory environment, the malware copies its secondary shellcode into memory and overwrites a legitimate internal data structure. This process effectively replaces a standard WebVPN XML handler function with the attacker’s malicious routine.

FIRESTARTER then actively intercepts incoming WebVPN requests. If an incoming request contains a specific custom prefix, the malware immediately executes the attached shellcode. If the data lacks the required prefix, FIRESTARTER silently forwards the request to the original handler to avoid detection.

Analysts note that this sophisticated loading mechanism bears significant technical resemblance to the deployment tactics observed in the RayInitiator malware.

What You Should Do

Security teams must proactively hunt for FIRESTARTER infections. Cisco Talos Intelligence advises checking for artifact files and unusual processes to prevent further espionage. Organizations should implement the following steps to secure their infrastructure:

  • Actively search for the malicious background process or any temporary core log files hidden on the disk.
  • Reimage all affected devices to definitively clear the FIRESTARTER infection from the system architecture.
  • For FTD software operating outside of lockdown mode, terminate the compromised process and reload the system.
  • Apply critical software upgrades as recommended in Cisco’s Security Advisory and CISA Emergency Directive 25-03.
  • Deploy Snort rules 65340 and 46897 to detect vulnerability exploitation, and rule 62949 to flag backdoor activity.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitHackerMalwareSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

ADT Confirms Data Breach After ShinyHunters Leak Claim

Next Post

Critical Azure AD Vulnerability Lets Attackers Hijack Service Principals

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us