State-sponsored threat actors are actively targeting Cisco Firepower network security devices by chaining two known vulnerabilities to deploy a highly customized and stealthy backdoor dubbed FIRESTARTER. Cisco Talos researchers have attributed the campaign to UAT-4356, an espionage-focused nation-state group previously responsible for the ArcaneDoor campaign.
The Threat Actor: UAT-4356 and ArcaneDoor
UAT-4356 previously orchestrated the ArcaneDoor campaign, a sophisticated operation that successfully targeted network perimeter devices — including Cisco ASA appliances — to conduct widespread espionage. Network edge devices are a preferred target for advanced persistent threat (APT) groups because they sit between internal networks and the internet, providing persistent and difficult-to-detect access while processing all inbound and outbound traffic.
In this latest campaign, UAT-4356 has evolved its tradecraft, leveraging newly discovered n-day vulnerabilities in Cisco’s Firepower Extensible Operating System (FXOS) to deploy an updated implant with more advanced evasion capabilities.
The Vulnerabilities Exploited
Cisco Talos identified two n-day vulnerabilities being chained by UAT-4356:
- CVE-2025-20333: A vulnerability in the Cisco Firepower Extensible Operating System (FXOS) that allows attackers to gain initial unauthorized access to affected appliances.
- CVE-2025-20362: A secondary flaw that is chained with CVE-2025-20333 to expand the attacker’s foothold and enable the installation of the FIRESTARTER implant.
Both vulnerabilities are n-day exploits, meaning patches were available but many organizations had not yet applied them — highlighting the critical importance of timely patching on network security appliances.
FIRESTARTER: An Advanced Stealthy Implant
The FIRESTARTER backdoor is a sophisticated piece of malware specifically engineered for Cisco’s ASA and FTD appliances. It embeds itself within the core components of the device, targeting the LINA process to execute arbitrary shellcode directly in device memory. Key capabilities include:
- Boot sequence manipulation: FIRESTARTER establishes persistence by altering the Cisco Service Platform mount list, ensuring re-execution during graceful reboots.
- Self-cleanup: Upon activation, the malware restores the original mount list and deletes temporary files to erase forensic traces.
- WebVPN request interception: FIRESTARTER intercepts incoming WebVPN requests and matches them against a custom prefix. Matching requests trigger execution of attached shellcode; non-matching requests are silently forwarded to the legitimate handler to avoid detection.
- Memory injection: The malware scans the LINA process memory for specific byte markers, then overwrites a legitimate internal data structure to replace a standard WebVPN XML handler function with its malicious routine.
Notably, FIRESTARTER’s persistence is transient — the implant only survives graceful reboots. A hard reboot (physically disconnecting power) will completely eradicate the implant, providing a reliable remediation path for affected organizations.
Technical Overlap with RayInitiator
Cisco Talos analysts note that FIRESTARTER’s sophisticated loading mechanism shares substantial technical overlap with RayInitiator‘s deployment tactics, suggesting either shared tooling, shared developers, or deliberate technique sharing among advanced threat groups targeting network infrastructure.
Detection and Remediation Guidance
Cisco Talos advises organizations to proactively hunt for FIRESTARTER infections using the following approach:
- Search for malicious background processes or temporary core log files on disk that match known FIRESTARTER artifacts.
- Reimage all affected devices to definitively clear the infection from the system architecture.
- On FTD software operating outside lockdown mode: kill the compromised process and reload the system.
- Apply critical software upgrades recommended in Cisco’s Security Advisory and CISA Emergency Directive 25-03.
- Deploy Snort rules 65340 and 46897 to detect exploitation attempts against the chained vulnerabilities.
- Review WebVPN logs for unusual prefixed requests that may indicate FIRESTARTER command-and-control activity.
Strategic Significance
This campaign underscores a persistent and growing trend: nation-state APT groups are systematically targeting network security appliances — firewalls, VPN gateways, and remote access tools — as their primary initial access vector. These devices process all network traffic, rarely receive timely security updates, and often lack robust endpoint detection capabilities. Organizations should prioritize patching network perimeter devices as a top security priority and should assume that any unpatched Cisco Firepower device may already be compromised.