Critical Cisco Firepower Vulnerabilities Exploited by Attackers
Key Takeaways A state-sponsored threat group, UAT-4356, is actively exploiting Cisco Firepower devices. The attackers chain two n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to deploy a...
Key Takeaways
- A state-sponsored threat group, UAT-4356, is actively exploiting Cisco Firepower devices.
- The attackers chain two n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to deploy a sophisticated backdoor named “FIRESTARTER.”
- FIRESTARTER provides unauthorized remote control and persistence across reboots by altering the device’s boot sequence.
- The compromise affects Cisco ASA and FTD appliances running Firepower Extensible Operating System (FXOS).
- Cisco Talos has provided detection and mitigation steps, including reimaging affected devices and applying security updates.
State-sponsored threat actors are actively targeting Cisco Firepower network devices, leveraging a chain of known vulnerabilities to install a highly customized and persistent backdoor. The campaign, attributed to the espionage-focused group UAT-4356, enables attackers to gain deep unauthorized control over compromised networks.
Table Of Content
Cisco Talos researchers recently uncovered that UAT-4356 is exploiting two n-day vulnerabilities, identified as CVE-2025-20333 and CVE-2025-20362, to infiltrate environments running Firepower Extensible Operating System (FXOS). This infiltration facilitates the deployment of their advanced implant, “FIRESTARTER.”
UAT-4356 is a group with a history of sophisticated operations, notably orchestrating the “ArcaneDoor” campaign. That prior campaign also focused on compromising network perimeter devices for widespread espionage activities.
In this latest offensive, after gaining initial access, the attackers proceed to install FIRESTARTER. This advanced implant provides persistent, unauthorized remote control over the compromised network infrastructure.
The FIRESTARTER backdoor embeds itself deeply within critical components of Cisco’s ASA and FTD appliances. Specifically, it targets the LINA process, enabling the threat actors to execute arbitrary shellcode directly within the device’s memory.
Malicious Payload Execution and Persistence
To establish a persistent foothold, UAT-4356 manipulates the device’s boot sequence by modifying the Cisco Service Platform mount list. Intriguingly, this persistence mechanism is transient, activating only during a graceful system reboot.
When the device processes a standard termination signal, FIRESTARTER copies itself to a backup log file. It then updates the mount list to ensure its re-execution upon restart.
Once the malicious payload restarts, it performs cleanup operations by restoring the original mount list and deleting any temporary files, thereby attempting to cover its tracks.
Due to the malware’s reliance on specific runlevel states, administrators can completely remove the implant by performing a hard reboot, such as physically disconnecting the hardware from its power source.
During the infection phase, FIRESTARTER meticulously scans the LINA process’s memory for specific byte markers and an executable memory range associated with the shared library framework.
Upon identifying the appropriate memory environment, the malware copies its secondary shellcode into memory and overwrites a legitimate internal data structure. This process effectively replaces a standard WebVPN XML handler function with the attacker’s malicious routine.
FIRESTARTER then actively intercepts incoming WebVPN requests. If an incoming request contains a specific custom prefix, the malware immediately executes the attached shellcode. If the data lacks the required prefix, FIRESTARTER silently forwards the request to the original handler to avoid detection.
Analysts note that this sophisticated loading mechanism bears significant technical resemblance to the deployment tactics observed in the RayInitiator malware.
What You Should Do
Security teams must proactively hunt for FIRESTARTER infections. Cisco Talos Intelligence advises checking for artifact files and unusual processes to prevent further espionage. Organizations should implement the following steps to secure their infrastructure:
- Actively search for the malicious background process or any temporary core log files hidden on the disk.
- Reimage all affected devices to definitively clear the FIRESTARTER infection from the system architecture.
- For FTD software operating outside of lockdown mode, terminate the compromised process and reload the system.
- Apply critical software upgrades as recommended in Cisco’s Security Advisory and CISA Emergency Directive 25-03.
- Deploy Snort rules 65340 and 46897 to detect vulnerability exploitation, and rule 62949 to flag backdoor activity.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.