Hackers Exploiting Cisco Firepower Devices\u2019 Using n-day Vulnerabilities to Gain Unauthorized Access
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
State-sponsored threat actors are actively targeting Cisco Firepower devices<\/a> by chaining known vulnerabilities to deploy a highly customized backdoor.<\/p>\n Cisco Talos recently discovered that the espionage-focused threat group UAT-4356 is exploiting two n-day vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, to infiltrate Firepower Extensible Operating System (FXOS)<\/a> environments.<\/p>\n UAT-4356 previously orchestrated the ArcaneDoor campaign, which successfully targeted network perimeter devices to conduct widespread espionage.<\/p>\n In this latest campaign, attackers leverage their initial access to install \u201cFIRESTARTER,\u201d an advanced implant that grants unauthorized remote control over compromised networks.<\/p>\n The FIRESTARTER backdoor embeds itself deep within the core components of Cisco\u2019s ASA and FTD appliances<\/a>. The malware specifically targets the LINA process, allowing attackers to execute arbitrary shellcode directly in the device\u2019s memory.<\/p>\n To establish a foothold, UAT-4356 manipulates the device\u2019s boot sequence by altering the Cisco Service Platform mount list. Interestingly, this persistence mechanism remains entirely transient and only triggers during a graceful reboot.<\/p>\n When the device processes a standard termination signal, FIRESTARTER copies itself to a backup log file. It updates the mount list to guarantee re-execution.<\/p>\n Once the malicious payload <\/a>restarts, it cleans up its tracks by restoring the original mount list and deleting temporary files.<\/p>\n Because the malware heavily relies on runlevel states, administrators can completely eradicate the implant by performing a hard reboot, such as physically disconnecting the hardware from its power source.<\/p>\n During the infection phase, FIRESTARTER meticulously scans the LINA process\u2019s memory for specific byte markers and an executable memory range associated with the shared library framework.<\/p>\n After locating the appropriate environment, the malware copies its secondary shellcode into memory and overwrites a legitimate internal data structure.<\/p>\n This process successfully replaces a standard WebVPN XML handler<\/a> function with the attacker\u2019s malicious routine. FIRESTARTER then actively intercepts incoming WebVPN requests.<\/p>\n If an incoming request matches a specific custom prefix, the malware immediately executes the attached shellcode. If the data lacks the required prefix, FIRESTARTER quietly forwards the request to the original handler to evade suspicion.<\/p>\n Analysts note that this sophisticated loading mechanism shares substantial technical overlap with RayInitiator\u2019s deployment tactics.<\/p>\n Security teams should proactively hunt for FIRESTARTER infections, as Cisco Talos Intelligence advises<\/a> checking for artifact files and unusual processes to prevent further espionage activity.<\/p>\n Organizations should take the following steps to secure their infrastructure:<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers Exploiting Cisco Firepower Devices\u2019 Using n-day Vulnerabilities to Gain Unauthorized Access<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nMalicious Payload Execution<\/strong><\/h2>\n
Detection and Mitigation<\/strong><\/h2>\n
\n