Cybersecurity researchers have uncovered an ongoing campaign in which a state-sponsored threat actor, identified as UAT-4356, is actively exploiting known vulnerabilities in Cisco Firepower devices to gain unauthorized access and deploy a highly sophisticated custom backdoor. Notably, the attackers are leveraging two n-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, which impact Cisco’s Firepower eXtensible Operating System (FXOS).
Although these vulnerabilities have already been disclosed and patched, many organizations have yet to apply the necessary updates. As a result, attackers are taking advantage of these gaps, proving that even older vulnerabilities can still pose a significant risk when left unaddressed. Unlike zero-day attacks that require advanced exploit development, this campaign relies on publicly known flaws, making it easier for attackers to compromise systems at scale.
Furthermore, UAT-4356 has been previously linked to the ArcaneDoor espionage campaign, which targeted perimeter network devices worldwide in early 2024. This connection highlights the group’s continued focus on infiltrating critical infrastructure and maintaining long-term access to sensitive environments.
After successfully breaching targeted systems, the attackers deploy a custom-built implant called FIRESTARTER. According to a Cisco Talos advisory published on April 23, 2026, the malware operates by injecting malicious shellcode directly into the LINA process, a core component of Cisco ASA and Firepower Threat Defense (FTD) appliances. Consequently, attackers gain the ability to execute arbitrary commands on compromised devices without raising immediate suspicion.
In addition, FIRESTARTER replaces a legitimate WebVPN XML handler in memory with a malicious Stage 2 shellcode handler. When the system receives a specially crafted WebVPN request containing specific “magic bytes,” the backdoor activates and executes silently. Meanwhile, normal traffic continues to flow through the legitimate handler, allowing the malware to remain hidden during routine operations.
Researchers have also observed strong similarities between FIRESTARTER and RayInitiator’s Stage 3 shellcode, suggesting potential collaboration or shared tools among advanced threat actors. Moreover, the malware uses a clever persistence technique by modifying Cisco’s CSP_MOUNT_LIST configuration, which controls processes executed during system boot.
During a graceful reboot, FIRESTARTER copies itself to system paths and relaunches automatically, ensuring continued access. However, it does not survive a hard power reboot, which provides a temporary mitigation option for affected systems. Even so, experts emphasize that this is not a permanent solution.
Cisco has strongly recommended that organizations apply the latest security patches outlined in its official advisory to prevent exploitation. Additionally, security teams should consider reimaging compromised devices to ensure complete remediation.
Ultimately, this campaign serves as a stark reminder that unpatched systems remain a major security risk. As threat actors increasingly exploit known vulnerabilities, organizations must prioritize timely updates and proactive monitoring to defend against persistent and stealthy cyber threats.
Recommended Cyber Technology News:
- Aptori Launches Autonomous Offensive Testing to Accelerate Application Security
- Critical Xiongmai Camera Flaw Enables Remote Access
- Cybercriminals Exploit Microsoft Teams to Infiltrate Enterprises
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
