By rssfeeds-admin The campaign leverages two n-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, impacting Cisco’s Firepower eXtensible Operating System (FXOS).
Unlike zero-day attacks, these exploits rely on already disclosed and patched flaws. However, organizations that failed to apply updates remain vulnerable, allowing attackers to compromise systems without advanced exploit development.
UAT-4356 has previously been linked to the ArcaneDoor espionage campaign, which targeted perimeter network devices globally in early 2024, highlighting its continued focus on critical infrastructure.
FIRESTARTER Backdoor Enables Stealthy Access
Following successful exploitation, the attackers deploy a custom-built implant named FIRESTARTER, as detailed in a Cisco Talos advisory published on April 23, 2026.
The malware operates by injecting malicious shellcode directly into the LINA process, a core component of Cisco ASA and Firepower Threat Defense (FTD) appliances.
This allows attackers to execute arbitrary commands on compromised devices.
FIRESTARTER replaces a legitimate WebVPN XML handler in memory with a malicious Stage 2 shellcode handler.
When a specially crafted WebVPN request containing specific “magic bytes” is received, the backdoor activates and executes silently.
Normal traffic is forwarded to the legitimate handler, enabling the malware to remain undetected during routine operations.
Researchers noted strong similarities between FIRESTARTER and RayInitiator’s Stage 3 shellcode, suggesting shared tooling or collaboration among advanced threat actors.
The malware uses a clever persistence technique by modifying Cisco’s CSP_MOUNT_LIST configuration, which controls processes executed during system boot.
During a graceful reboot, FIRESTARTER copies itself to /opt/cisco/platform/logs/var/log/svc_samcore.log and re-launches via /usr/bin/lina_cs. However, the implant does not survive a hard power reboot, making a physical restart a temporary mitigation step.
This approach allows attackers to maintain access across reboots while minimizing detection.
Administrators are advised to monitor affected devices for the following indicators:
- Suspicious files at /usr/bin/lina_cs or /opt/cisco/platform/logs/var/log/svc_samcore.log
- Unusual output from the command: show kernel process | include lina_cs
- Detection via ClamAV signature: Unix.Malware.Generic-10059965-0
- Snort rules 62949, 65340, and 46897 are associated with exploitation and payload activity
Cisco strongly recommends applying the latest security patches outlined in its official advisory to prevent exploitation.
Organizations with compromised systems should reimage affected devices for complete remediation.
For non-lockdown FTD systems, administrators can terminate the lina_cs process and reload the device as a mitigation step.
Additionally, CISA’s Emergency Directive ED 25-03 provides further guidance for federal and enterprise environments.
This campaign underscores the ongoing risk posed by unpatched systems, where threat actors increasingly exploit known vulnerabilities to achieve persistent and stealthy access.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Hackers Exploit Cisco Firepower Devices Using N-Day Vulnerabilities to Gain Unauthorized Access appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.