Hackers Exploit Cisco Firepower n-day Vul Exploiting Devices’

State-sponsored threat actors are actively exploiting Cisco Firepower devices. They’re chaining known vulnerabilities together to deploy a highly customized backdoor.

Cisco Talos recently discovered that the espionage-focused threat group UAT-4356 is exploiting two n-day vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, to infiltrate Firepower Extensible Operating System (FXOS) environments.

UAT-4356 previously orchestrated the ArcaneDoor campaign, which successfully targeted network perimeter devices to conduct widespread espionage.

In this latest campaign, attackers leverage their initial access to install “FIRESTARTER,” an advanced implant that grants unauthorized remote control over compromised networks.

The FIRESTARTER backdoor embeds itself deep within the core components of Cisco’s ASA and FTD appliances. The malware specifically targets the LINA process, allowing attackers to execute arbitrary shellcode directly in the device’s memory.

Malicious Payload Execution

To establish a foothold, UAT-4356 manipulates the device’s boot sequence by altering the Cisco Service Platform mount list. Interestingly, this persistence mechanism remains entirely transient and only triggers during a graceful reboot.

When the device processes a standard termination signal, FIRESTARTER copies itself to a backup log file. It updates the mount list to guarantee re-execution.

Once the malicious payload restarts, it cleans up its tracks by restoring the original mount list and deleting temporary files.

Because the malware heavily relies on runlevel states, administrators can completely eradicate the implant by performing a hard reboot, such as physically disconnecting the hardware from its power source.

During the infection phase, FIRESTARTER meticulously scans the LINA process’s memory for specific byte markers and an executable memory range associated with the shared library framework.

After locating the appropriate environment, the malware copies its secondary shellcode into memory and overwrites a legitimate internal data structure.

This process successfully replaces a standard WebVPN XML handler function with the attacker’s malicious routine. FIRESTARTER then actively intercepts incoming WebVPN requests.

If an incoming request matches a specific custom prefix, the malware immediately executes the attached shellcode. If the data lacks the required prefix, FIRESTARTER quietly forwards the request to the original handler to evade suspicion.

Analysts note that this sophisticated loading mechanism shares substantial technical overlap with RayInitiator’s deployment tactics.

Detection and Mitigation

Security teams should proactively hunt for FIRESTARTER infections, as Cisco Talos Intelligence advises checking for artifact files and unusual processes to prevent further espionage activity.

Organizations should take the following steps to secure their infrastructure:

• Search for the malicious background process or the temporary core log file hiding on the disk.
• Reimage all affected devices to clear the FIRESTARTER infection from the system architecture definitively.
• Kill the compromised process and reload the system on FTD software operating outside of lockdown mode.
• Apply critical software upgrades recommended in Cisco’s Security Advisory and CISA Emergency Directive 25-03.
• Deploy Snort rules 65340 and 46897 to detect vulnerability exploitation, and rule 62949 to flag backdoor activity.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.