INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Firestarter Exploits Cisco Firewall Vulnerabilities
| 2026-04-24 20:34 MEDIUM HIGHExecutive Summary AI-generated
The threat actor behind the Firestarter backdoor, a custom malware designed to persist on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software, is believed to be a nation-state threat. The attack has been attributed to UAT-4356, known for cyberespionage campaigns including ArcaneDoor. This suggests that the attacker was using an internal identifier and may have had prior knowledge of the vulnerabilities exploited by Firestarter.
Technical Mitigations AI-generated
* Implement a "show kernel process | include lina_cs" command to detect and identify compromised Firepower devices, which can help determine if the device is still vulnerable to the Firestarter backdoor.
* Run the 'show kernel process | include lina_cs' command on any resulting output from this command to confirm whether the device has been compromised by the Firestarter implant.
* Reimage and upgrade Cisco Firepower or Secure Firewall devices using fixed releases that cover both compromised and non-compromised cases, as recommended by Cisco.
* Use YARA rules (e.g. "Firestarter" or "Line Viper") to detect the Firestarter backdoor when applied to a disk image or core dump from a device, which can help identify potential compromises.
* Implement a cold restart procedure for devices that have been compromised by the Firestarter implant, as this may be necessary to remove the malware and prevent further exploitation.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
ArcaneDoorArcaneDoor
CVE-2025-20362CVE-2025-20362
CVE-2025-20333CVE-2025-20333
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
Incident Timeline
early 2024
Threat actors used ArcaneDoor to target UAT-4356, a Cisco Talos-powered firewall update.
Click on any entity below to view its context and source!
organisation
Censys
Censys noted it found evidence of multiple major Chinese networks and Chinese-developed anti-censorship software during its investigation into the early 2024 attacks.
target_region
China
Censys noted it found evidence of multiple major Chinese networks and Chinese-developed anti-censorship software during its investigation into the early 2024 attacks.
tactic
Espionage
In early 2024, Cisco Talos attributed
ArcaneDoor
, a state-sponsored campaign focused on gaining access to network perimeter devices for espionage, to UAT-4356.
campaign
ArcaneDoor
In early 2024, Cisco Talos attributed
ArcaneDoor
, a state-sponsored campaign focused on gaining access to network perimeter devices for espionage, to UAT-4356.
at least late 2025
Threat actors used a custom backdoor developed by Firestarter malware to target Cisco network security devices.
Click on any entity below to view its context and source!
source_region
United Kingdom
A state-sponsored hacking group has implanted a custom backdoor on Cisco network security devices that can survive firmware updates and standard reboots, U.S. and British cybersecurity authorities disclosed Thursday, marking a significant escalation in a campaign that has targeted government and critical infrastructure networks since at least late 2025.
September 2025
Firestarter malware used Next to modify the CSP_MOUNT_LIST boot/mount file, stored a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log and restored it to /usr/bin/lina_cs.
Click on any entity below to view its context and source!
organisation
Firestarter
Next, the ELF binary for the Firestarter backdoor is deployed for persistence, allowing the threat actor to regain access when needed.
organisation
Next
Next, the ELF binary for the Firestarter backdoor is deployed for persistence, allowing the threat actor to regain access when needed.
organisation
ELF
Next, the ELF binary for the Firestarter backdoor is deployed for persistence, allowing the threat actor to regain access when needed.
organisation
XML
This is done through a mechanism in which Firestarter hooks into LINA by modifying an XML handler and injecting shellcode into memory, creating a controlled execution path.
organisation
Firepower
Line Viper is used to establish VPN sessions and access all configuration details, including administrative credentials, certificates, and private keys on compromised Firepower devices.
organisation
Once Firestarter
Once Firestarter nests on the devices, it maintains persistence across reboots, firmware updates, and security patches.
early September 2025
Threat actors used a known vulnerability in the Cisco firewall to target systems before the agency implemented security patches.
2026/04/24
UAT-4356 exploited vulnerabilities in Cisco Firepower devices' Adaptive Security Appliance and FTD software to gain initial entry.
Click on any entity below to view its context and source!
organisation
National Cyber Security Centre
The Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre jointly published
a malware analysis report
identifying the backdoor, code-named Firestarter.
organisation
CVE-2025
Those patches addressed two vulnerabilities —
CVE-2025-20333
, a remote code execution flaw in the VPN web server component, and
CVE-2025-20362
, an unauthorized access vulnerability — that UAT-4356 exploited to gain initial entry.
The following Snort rules cover the vulnerabilities
CVE-2025-20333
and
CVE-2025-20362
:
65340, 46897
.
organisation
Snort
The following Snort rules cover the vulnerabilities
CVE-2025-20333
and
CVE-2025-20362
:
65340, 46897
.
organisation
the Cisco Service Platform
Firestarter allows attackers to achieve persistence by manipulating the Cisco Service Platform mount list, a configuration file that governs which programs execute during the device’s boot sequence.
organisation
LINA
From there, the malware injects malicious shellcode into LINA, the core networking and firewalling code of Cisco’s Adaptive Security Appliance and Firepower Threat Defense software.
organisation
Cisco’s Adaptive Security Appliance and
From there, the malware injects malicious shellcode into LINA, the core networking and firewalling code of Cisco’s Adaptive Security Appliance and Firepower Threat Defense software.
organisation
Firestarter
Talos noted that Firestarter shares significant technical similarities with a previously documented implant called RayInitiator, suggesting the tools share a common origin or development history within UAT-4356’s arsenal.
The FIRESTARTER backdoor
FIRESTARTER is a malicious backdoor implanted by UAT-4356 that allows remote access and control to execute arbitrary code inside the LINA process, a core component of Cisco’s ASA and FTD appliances running FXOS.
organisation
RayInitiator
Talos noted that Firestarter shares significant technical similarities with a previously documented implant called RayInitiator, suggesting the tools share a common origin or development history within UAT-4356’s arsenal.
FIRESTARTER considerably overlaps with the technical capabilities of
RayInitiator’s Stage 3 shellcode
that processes incoming XML-based payloads to endpoint APIs.
organisation
Cisco’s ASA
The FIRESTARTER backdoor
FIRESTARTER is a malicious backdoor implanted by UAT-4356 that allows remote access and control to execute arbitrary code inside the LINA process, a core component of Cisco’s ASA and FTD appliances running FXOS.
organisation
FTD
The FIRESTARTER backdoor
FIRESTARTER is a malicious backdoor implanted by UAT-4356 that allows remote access and control to execute arbitrary code inside the LINA process, a core component of Cisco’s ASA and FTD appliances running FXOS.
organisation
XML
FIRESTARTER considerably overlaps with the technical capabilities of
RayInitiator’s Stage 3 shellcode
that processes incoming XML-based payloads to endpoint APIs.
organisation
the Secure Firewall 1200, 3100
The persistence vulnerability affects a broad range of Cisco hardware, including the Firepower 1000, 2100, 4100, and 9300 series, as well as the Secure Firewall 1200, 3100, and 4200 series.
organisation
CyberScoop
A Cisco spokesperson told CyberScoop that customers needing assistance should contact
Cisco Technical Assistance
for support.
organisation
Cisco Technical Assistance
A Cisco spokesperson told CyberScoop that customers needing assistance should contact
Cisco Technical Assistance
for support.
organisation
Cisco Firepower Devices
UAT-4356's Targeting of Cisco Firepower Devices.
organisation
Cisco Firepower
Cisco Talos is aware of
UAT-4356
's continued
active targeting
of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS).
organisation
Cisco’s Security Advisory
Customers are advised to refer to
Cisco’s Security Advisory
for mitigation and detection guidance, indicators of compromise (IOCs), affected products, and applicable software upgrade recommendations.
organisation
Cisco Service Platform
Persistence
UAT-4356 established persistence for FIRESTARTER on compromised devices by manipulating the mount list for Cisco Service Platform (CSP), namely “CSP_MOUNT_LIST”, to execute FIRESTARTER.
organisation
CSP
Persistence
UAT-4356 established persistence for FIRESTARTER on compromised devices by manipulating the mount list for Cisco Service Platform (CSP), namely “CSP_MOUNT_LIST”, to execute FIRESTARTER.
organisation
CSP_MOUNT_LIST
Persistence
UAT-4356 established persistence for FIRESTARTER on compromised devices by manipulating the mount list for Cisco Service Platform (CSP), namely “CSP_MOUNT_LIST”, to execute FIRESTARTER.
organisation
0x2
Injecting and activating the malicious shellcode in LINA
FIRESTARTER first reads the LINA process’ memory to search for and verify the presence of the bytes (long) 0x1, 0x2, 0x3, 0x4, 0x5 at specific locations in memory.
organisation
API
The malicious shellcode is triggered as part of the authentication API’s request handling process and parses the incoming request data for magic markers signifying an executable payload.
organisation
TAC
Organizations impacted can initiate a
TAC request
for Cisco support.
organisation
ClamAV
The following ClamAV signatures detect this threat:
Unix.
financial
0 Generic-10059965
Generic-10059965-0
May 12
Threat actors used a firestarter malware to bypass Cisco firewall updates and security patches.
Click on any entity below to view its context and source!
organisation
the Autonomous Validation Summit
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
general_metric
14 May
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.
Tactical Metrics
Metrics
financial
0
Generic-10059965
Click for context!
Generic-10059965-0
Intelligence Sources
CyberScoop
2026-04-23
Talos Intelligence
2026-04-23
UAT-4356's Targeting of Cisco Firepower Devices
Talos Intelligence
BleepingComputer
2026-04-24
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T06:08
Comprehensive Tactical Telemetry
Highly Correlated Entities
31x
organisation
Identified Entity
The Cybersecurity and Infrastructure Security Agency
entity
16x
attribution
Attributing Entity
Censys
authority
6x
timeline
Temporal Reference
at least late 2025
date
3x
tactic
Cyber Operation Type
Espionage
tactic
2x
target region
Target Country
United States
country
2x
source region
Origin Country
United Kingdom
country
2x
vulnerability
Exploited CVE
CVE-2025-20333
cve
2x
general metric
Firepower
1,000
firepower
2x
general metric
Secure Firewall
1,200
secure firewall
Contextual Telemetry
Context Block
11 METRICS
campaign
Campaign
ArcaneDoor
operation
general metric
Espionage Campaign
2,024
espionage campaign
general metric
Series
4,200
series
general metric
Shellcode
3
shellcode
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
general metric
Emergency Directive
25
emergency directive
general metric
Value
6
value
general metric
Stage
2
stage
general metric
Snort Rules
62,949
snort rules
financial
Generic-10059965
0
generic-10059965
general metric
May
14
may
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.