UAT-4356 Targets Cisco Devices with FIRESTARTER Backdoor

Executive Summary

Cisco Talos has identified active targeting of Cisco Firepower devices by the threat actor UAT-4356. The adversary is exploiting n-day vulnerabilities to deploy a custom backdoor, dubbed FIRESTARTER, on devices running the Firepower eXtensible Operating System (FXOS). This implant provides the actor with remote access and the ability to execute arbitrary code within core system processes. UAT-4356 is the same state-sponsored actor previously attributed to the ArcaneDoor espionage campaign. All organizations utilizing affected Cisco products must assume active targeting and implement mitigation guidance immediately.

Key Findings

Threat Actor and Campaign

UAT-4356 is a state-sponsored threat actor focused on network perimeter device exploitation for espionage. Their current activity represents a continuation of tactics observed in the ArcaneDoor campaign from early 2024.

Initial Access Vector

The adversary gains initial access by exploiting two n-day vulnerabilities: CVE-2025-20333 and CVE-2025-20362. These vulnerabilities provide the foothold necessary to deploy the FIRESTARTER backdoor on unpatched Cisco Firepower devices.

FIRESTARTER Backdoor Analysis

FIRESTARTER is a malicious backdoor designed to inject into the LINA process, a core component of Cisco ASA and FTD appliances. By replacing a legitimate WebVPN XML handler function with a malicious routine, the implant can parse incoming traffic. It searches for a custom-defined prefix; if detected, it executes the shellcode payload that follows. If the prefix is not present, traffic is passed to the original handler. This functionality shows significant technical overlap with RayInitiator’s Stage 3 shellcode.

Transient Persistence Mechanism

Persistence is achieved by manipulating the Cisco Service Platform mount list (CSP_MOUNT_LIST). This manipulation causes the device to execute FIRESTARTER during the boot sequence. This mechanism is transient and only triggers on a graceful reboot (runlevel 6). During this process, the implant writes itself to a backup location at /opt/cisco/platform/logs/var/log/svc_samcore.log, modifies the mount list to copy itself to /usr/bin/lina_cs, and executes. Post-execution, it restores the original CSP_MOUNT_LIST to remove traces. A hard reboot (power cycle) will effectively remove the implant from the device.

Detection and IOCs

Host-Based Indicators

The presence of the following files on disk may indicate compromise, though these are considered brittle indicators:

/usr/bin/lina_cs
/opt/cisco/platform/logs/var/log/svc_samcore.log

System administrators can run the following command to check for the malicious process:
show kernel process | include lina_cs

Signature-Based Detection

Snort Rules for Vulnerabilities: 65340, 46897 (for CVE-2025-20333 and CVE-2025-20362)
Snort Rule for FIRESTARTER: 62949
ClamAV Signature: Unix.Malware.Generic-10059965-0

Mitigation and Response

Immediate Actions

Apply Updates: Follow the Cisco Security Advisory and apply all relevant software upgrades to patch CVE-2025-20333 and CVE-2025-20362.
Reimage Devices: The most effective method to ensure complete removal of the FIRESTARTER implant is to reimage affected devices.
Process Termination (Interim): On Cisco FTD devices not in lockdown mode, the implant process can be killed and the device reloaded as a temporary mitigation step:
> expert
$ sudo kill -9 $(pidof lina_cs)
$ exit
> reboot
Note: This does not patch the underlying vulnerability. A hard power cycle will also remove the transient implant.

Strategic Guidance

Organizations are strongly advised to review the official Cisco Security Advisory and CISA Emergency Directive ED 25-03 for comprehensive guidance, IOCs, and affected product lists. Impacted organizations should open a TAC request with Cisco for support.