State-Sponsored Hackers Exploit Cisco Firepower Devices Using Known Vulnerabilities
State-sponsored cyber actors are actively targeting Cisco Firepower devices by exploiting known vulnerabilities to deploy sophisticated backdoors, granting them unauthorized access and control over compromised networks.
Cisco’s security research team, Talos, has identified that the espionage-focused group UAT-4356 is leveraging two specific vulnerabilities—CVE-2025-20333 and CVE-2025-20362—to infiltrate Firepower Extensible Operating System (FXOS) environments. This group, previously associated with the ArcaneDoor campaign, has a history of targeting network perimeter devices for extensive espionage activities.
In their latest campaign, the attackers utilize their initial access to install FIRESTARTER, an advanced implant that provides unauthorized remote control over compromised networks. This backdoor integrates deeply within the core components of Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) appliances, specifically targeting the LINA process. This allows attackers to execute arbitrary shellcode directly in the device’s memory.
Malicious Payload Execution
To establish a persistent presence, UAT-4356 manipulates the device’s boot sequence by altering the Cisco Service Platform mount list. Notably, this persistence mechanism is transient and activates only during a graceful reboot. Upon receiving a standard termination signal, FIRESTARTER copies itself to a backup log file and updates the mount list to ensure re-execution. Once the malicious payload restarts, it cleans up by restoring the original mount list and deleting temporary files.
The malware relies heavily on runlevel states, meaning administrators can completely remove the implant by performing a hard reboot, such as physically disconnecting the hardware from its power source.
During the infection phase, FIRESTARTER scans the LINA process’s memory for specific byte markers and executable memory ranges associated with the shared library framework. After identifying the appropriate environment, the malware copies its secondary shellcode into memory and overwrites a legitimate internal data structure. This process replaces a standard WebVPN XML handler function with the attacker’s malicious routine, allowing FIRESTARTER to intercept incoming WebVPN requests. If a request matches a specific custom prefix, the malware executes the attached shellcode; otherwise, it forwards the request to the original handler to avoid detection.
Analysts have noted that this sophisticated loading mechanism shares substantial technical overlap with RayInitiator’s deployment tactics.
Detection and Mitigation
Security teams are advised to proactively search for FIRESTARTER infections to prevent further espionage activities. Cisco Talos Intelligence recommends the following steps to secure infrastructure:
– Search for malicious background processes or temporary core log files on the disk.
– Reimage all affected devices to definitively clear the FIRESTARTER infection from the system architecture.
– Terminate the compromised process and reload the system on FTD software operating outside of lockdown mode.
– Apply critical software upgrades as recommended by Cisco.
By implementing these measures, organizations can enhance their defenses against sophisticated cyber threats targeting Cisco Firepower devices.
