A state-sponsored campaign in which threat actor UAT-4356, the same group behind the 2024 ArcaneDoor espionage operation, is exploiting two critical Zero-day vulnerabilities in Cisco Firepower devices to deploy a sophisticated custom backdoor named FIRESTARTER.
UAT-4356, also tracked as Storm-1849, is a state-sponsored advanced persistent threat (APT) group with a demonstrated focus on infiltrating perimeter network infrastructure for long-term espionage.
The group first gained widespread attention in April 2024 attributed the ArcaneDoor campaign to them, a campaign specifically designed to breach government and telecommunications networks by targeting Cisco ASA and FTD firewalls.
In 2026, UAT-4356 escalated its operations by weaponizing known vulnerabilities in Cisco’s Firepower eXtensible Operating System (FXOS) to deploy a powerful new implant.
Vulnerabilities: CVE-2025-20333 and CVE-2025-20362
The attack chain relies on chaining two critical vulnerabilities that, when combined, grant full device takeover.
- CVE-2025-20333 A buffer overflow vulnerability (CWE-120) in the web services component of Cisco Secure Firewall ASA and FTD. Successful exploitation via crafted HTTP requests delivers root-level remote code execution (RCE) on the affected device.
- CVE-2025-20362 A path traversal vulnerability stemming from a path normalization issue, functioning as a patch bypass for the older CVE-2018-0296. This flaw enables attackers to access restricted URLs without authentication, serving as the entry point for the exploit chain.
Both vulnerabilities were confirmed as exploited in the wild as zero-days and were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. CISA’s KEV entry explicitly confirms that CVE-2025-20362 can be chained with CVE-2025-20333 to achieve full compromise.
FIRESTARTER Backdoor
Once initial access is established, UAT-4356 deploys FIRESTARTER, a sophisticated malicious implant designed to operate covertly inside the LINA process, a core component of Cisco’s ASA and FTD appliances running FXOS. FIRESTARTER enables remote access, arbitrary code execution, and long-term persistence on compromised devices.
UAT-4356 establishes persistence by manipulating the CSP_MOUNT_LIST (Cisco Service Platform mount list), which controls programs executed during the device boot sequence. FIRESTARTER monitors for runlevel 6 (device reboot signal) and, upon detection.
Writes itself to a backup location at /opt/cisco/platform/logs/var/log/svc_samcore.log and updates the CSP_MOUNT_LIST to copy itself back to /usr/bin/lina_cs for re-execution.
Critically, this persistence mechanism is transient; a hard reboot (power disconnection) removes the implant from disk. When FIRESTARTER re-executes after a graceful reboot, it restores the original CSP_MOUNT_LIST and wipes its own traces, making forensic detection significantly more challenging.
Code Injection and Shellcode Execution
FIRESTARTER performs process injection into the LINA process by scanning its memory for a specific byte sequence (0x1, 0x2, 0x3, 0x4, 0x5) and locating an executable memory range within the shared library libstdc++.so. It then:
- Copies Stage 2 shellcode to the last
0x200bytes of that memory region - Overwrites an internal data structure to replace a legitimate WebVPN XML handler function pointer with the address of the malicious Stage 2 shellcode
- Monitors incoming WebVPN request XML data for custom magic-byte prefixes that signal an executable payload
- Executes the payload in memory if the prefix matches; otherwise, forwards traffic to the original handler to avoid detection
This XML-based covert channel design demonstrates a high level of operational sophistication, allowing UAT-4356 to blend malicious commands with legitimate network traffic.
Researchers identified significant technical overlaps between FIRESTARTER and RayInitiator’s Stage 3 shellcode, including shared loading mechanisms, handler-function replacement logic, XML magic-byte parsing, and payload execution methodology.
This overlap suggests that FIRESTARTER is either an evolution of or closely derived from the same codebase used in prior UAT-4356 operations.
Detection Indicators
Security teams should immediately inspect Cisco Firepower devices for the following Indicators of Compromise (IOCs):
- File presence at
/usr/bin/lina_cs - File presence at
/opt/cisco/platform/logs/var/log/svc_samcore.log - Shell command:
show kernel process | include lina_csreturning output - Snort rules 65340 and 46897 for CVE-2025-20333 and CVE-2025-20362, respectively
- Snort rule 62949 for FIRESTARTER detection
- ClamAV signature:
Unix.Malware.Generic-10059965-0
Mitigation and Remediation
Cisco has issued a formal Security Advisory with the following recommended actions:
- Apply software upgrades advisory immediately
- Reimage affected devices this is the definitive remediation for a FIRESTARTER infection
- On Cisco FTD devices not in lockdown mode, kill the
lina_csprocess and reload: runsudo kill -9 $(pidof lina_cs)followed byreboot - Organizations may open a Cisco TAC support request for guided remediation
- Reference Emergency Directive ED 25-03 for additional organizational guidance
- Snort Subscriber Rule Set customers should download the latest rule pack from Snort.org
FAQ
Q1: What is the FIRESTARTER backdoor?
FIRESTARTER is a custom malicious implant deployed by UAT-4356 that injects itself into Cisco’s LINA process to execute arbitrary shellcode via covert WebVPN XML requests on compromised Firepower devices.
Q2: Which Cisco products are affected by CVE-2025-20333 and CVE-2025-20362?
Both vulnerabilities affect Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) software running on FXOS-based platforms.
Q3: How does UAT-4356 maintain persistence after a device reboot?
UAT-4356 manipulates the CSP_MOUNT_LIST to re-execute FIRESTARTER on graceful reboot, though a hard power-off removes the implant entirely since the mechanism is transient.
Q4: Is there a connection between FIRESTARTER and the 2024 ArcaneDoor campaign?
Yes, Cisco Talos attributes both campaigns to UAT-4356 (Storm-1849), with FIRESTARTER sharing significant code-level overlaps with RayInitiator’s Stage 3 shellcode from the ArcaneDoor operation.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
