A state-sponsored threat actor known as UAT-4356 is actively exploiting known vulnerabilities in Cisco Firepower devices to deploy a sophisticated custom backdoor.
UAT-4356 exploited two n-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362m affecting Cisco’s Firepower eXtensible Operating System (FXOS).
These flaws allowed the threat actor to gain unauthorized access to targeted devices without requiring zero-day capabilities, instead weaponizing already-patched but unmitigated vulnerabilities on unpatched systems.
This group was previously linked to ArcaneDoor, a state-sponsored espionage campaign uncovered in early 2024 that targeted network perimeter devices globally.
Once inside a compromised device, UAT-4356 deployed a custom-built implant called FIRESTARTER, according to a threat advisory published by Cisco Talos on April 23, 2026..
This backdoor injects malicious shellcode directly into the LINA process, a core component of Cisco’s ASA and FTD appliances, enabling remote code execution on the compromised hardware.
FIRESTARTER works by replacing a legitimate WebVPN XML handler function in LINA’s memory with a malicious Stage 2 shellcode handler.
When the device receives a specially crafted WebVPN request containing specific magic bytes, the embedded shellcode executes silently in memory.
Normal traffic without the magic bytes is passed to the original handler, keeping the backdoor hidden during routine operations.
Security researchers note that FIRESTARTER shares significant technical overlaps with RayInitiator’s Stage 3 shellcode, suggesting shared development resources or tooling among advanced threat actors.
UAT-4356 designed FIRESTARTER with a clever persistence mechanism. It manipulates Cisco’s CSP_MOUNT_LIST, a configuration that controls commands executed during device boot, to survive graceful reboots.
If the device restarts, FIRESTARTER copies itself to /opt/cisco/platform/logs/var/log/svc_samcore.log and re-executes from /usr/bin/lina_cs. Notably, a hard power reboot (physically unplugging the device) removes the implant, as the persistence only survives graceful restarts.
Administrators should check for these warning signs on Firepower devices:
- Suspicious files at /usr/bin/lina_cs or /opt/cisco/platform/logs/var/log/svc_samcore.log
- Output from running: show kernel process | include lina_cs
- ClamAV signature: Unix.Malware.Generic-10059965-0
- Snort rules 62949, 65340, and 46897 cover FIRESTARTER and related CVEs
Cisco strongly recommends organizations apply the latest software upgrades detailed in the official Cisco Security Advisory. Infected devices can be cleaned by reimaging, or on non-lockdown FTD systems, by killing the lina_cs process and reloading the device.
CISA’s Emergency Directive ED 25-03 also provides additional remediation guidance for affected federal and enterprise environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
