State-Sponsored Threat Actor UAT-4356 Exploits Cisco Firepower Vulnerabilities with Custom Backdoor
A state-sponsored threat actor known as UAT-4356 is actively exploiting known vulnerabilities in Cisco Firepower devices to deploy a sophisticated custom backdoor.
Exploitation of CVE-2025-20333 and CVE-2025-20362
UAT-4356 leveraged two n-day vulnerabilities — CVE-2025-20333 and CVE-2025-20362 — affecting Cisco’s Firepower eXtensible Operating System (FXOS). These flaws allowed the group to gain unauthorized access to targeted devices without relying on zero-day exploits, instead weaponizing already-patched but unmitigated vulnerabilities on unpatched systems.
This threat actor was previously linked to ArcaneDoor, a state-sponsored espionage campaign discovered in early 2024 that targeted network perimeter devices globally.
FIRESTARTER Implant
According to a threat advisory published by Cisco Talos on April 23, 2026, UAT-4356 deployed a custom-built implant called FIRESTARTER once inside a compromised device.
FIRESTARTER injects malicious shellcode directly into the LINA process, a core component of Cisco’s ASA and FTD appliances, enabling remote code execution on the affected hardware.
The backdoor works by replacing a legitimate WebVPN XML handler function in LINA’s memory with a malicious Stage 2 shellcode handler. When the device receives a specially crafted WebVPN request containing specific magic bytes, the embedded shellcode executes silently in memory. Normal traffic without the magic bytes is passed to the original handler, keeping the backdoor hidden during routine operations.
Technical Overlaps with RayInitiator
Security researchers have noted significant technical overlaps between FIRESTARTER and RayInitiator’s Stage 3 shellcode, suggesting shared development resources or tooling among advanced threat actors.
Persistence Mechanism
FIRESTARTER was designed with a clever persistence mechanism. It manipulates Cisco’s CSP_MOUNT_LIST, a configuration that controls commands executed during device boot, to survive graceful reboots.
If the device restarts, FIRESTARTER copies itself to:
/opt/cisco/platform/logs/var/log/svc_samcore.log
And re-executes from:
/usr/bin/lina_cs
Note: A hard power reboot (physically unplugging the device) removes the implant, as the persistence only survives graceful restarts.
Recommended Actions
Cisco strongly recommends organizations apply the latest software upgrades detailed in the official Cisco Security Advisory.
Infected devices can be cleaned by:
- Reimaging
- On non-lockdown FTD systems, by killing the
lina_csprocess and reloading the device
CISA’s Emergency Directive ED 25-03 also provides additional remediation guidance for affected federal and enterprise environments.
Warning Signs for Administrators
Administrators should monitor Firepower devices for the following indicators:
- Unusual network traffic patterns
- Unexpected process activity in LINA
- Presence of suspicious log files in
/opt/cisco/platform/logs/var/log/ - Unexpected behavior during device reboots