UAT-4356's FIRESTARTER Backdoor Targets Cisco Firepower Devices via N-Day Exploits
Cisco Talos has identified that threat actor UAT-4356 is actively exploiting n-day vulnerabilities in Cisco Firepower FXOS devices to deploy a custom backdoor named FIRESTARTER, which achieves persistence through CSP_MOUNT_LIST manipulation and executes arbitrary shellcode within the LINA process.
Cisco Talos has uncovered an ongoing campaign by threat actor UAT-4356 targeting Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). The group is exploiting two n-day vulnerabilities — CVE-2025-20333 and CVE-2025-20362 — to gain unauthorized access and deploy a custom backdoor dubbed FIRESTARTER. This backdoor shares significant technical overlap with the RayInitiator Stage 3 shellcode, which processes incoming XML-based payloads to endpoint APIs. UAT-4356 was previously attributed by Cisco Talos to the ArcaneDoor campaign in early 2024, a state-sponsored effort focused on compromising network perimeter devices for espionage.
FIRESTARTER is a malicious implant that provides remote access and control, allowing the threat actor to execute arbitrary code inside the LINA process — a core component of Cisco's ASA and FTD appliances running FXOS. The backdoor establishes persistence by manipulating the mount list for the Cisco Service Platform (CSP), specifically the CSP_MOUNT_LIST, to execute FIRESTARTER during the device's boot sequence. This persistence mechanism triggers during a graceful reboot, when a process termination signal is received. FIRESTARTER also checks the runlevel for value 6 (indicating a reboot) and, if matched, writes itself to a backup location and updates the CSP_MOUNT_LIST to re-execute after reboot. Notably, a hard reboot (e.g., after power loss) effectively removes the implant.
Once injected into the LINA process, FIRESTARTER replaces a pre-defined handler function with a malicious routine that parses incoming data. Specifically, it intercepts WebVPN XML requests and checks for a specific pattern of custom-defined prefixing bytes. If the magic bytes are present, the shellcode that follows is executed in memory. If not, the data is passed to the original handler. This loading mechanism, Stage 2 shellcode, handler function replacement, and XML parsing for magic bytes all display considerable overlaps with RayInitiator's Stage 3 deployment actions and artifacts.
The backdoor's injection process involves reading the LINA process memory to verify specific byte patterns, then locating an executable memory region in the libstdc++.so shared library. It copies the Stage 2 shellcode to the last 0x200 bytes of that region and overwrites a pointer to a legitimate WebVPN XML handler function with the address of the malicious shellcode. The shellcode is triggered during the authentication API's request handling, parsing incoming data for the magic markers that signal an executable payload.
Cisco has released a security advisory with mitigation and detection guidance, including indicators of compromise (IOCs) and software upgrade recommendations. The presence of files named 'lina_cs' and 'svc_samcore.log' on the device may indicate compromise. Commands such as 'show kernel process | include lina_cs' can help detect the implant. For comprehensive detection, Cisco advises referring to its advisory and CISA's update to Emergency Directive 25-03. Organizations can also initiate a TAC request for support.
Mitigation options include reimaging affected devices to fully remove the infection. On Cisco FTD software not in lockdown mode, administrators can kill the lina_cs process and reload the device. Open-source Snort Subscriber Rule Set customers can download the latest rule pack for detection. This campaign underscores the persistent threat to network perimeter devices and the importance of timely patching and monitoring for signs of compromise.