Hackers are exploiting Cisco Firepower devices by chaining older flaws to deploy the FIRESTARTER backdoor
4 min. read 
Published on
State-backed hackers are actively targeting Cisco Firepower devices by chaining two known, already-patched flaws to gain unauthorized access and install a stealthy backdoor called FIRESTARTER. Cisco Talos says the activity is tied to UAT-4356, the same espionage-focused group previously linked to ArcaneDoor, and that the attacks hit devices running Cisco Firepower eXtensible Operating System, or FXOS.
The two vulnerabilities at the center of the campaign are CVE-2025-20333 and CVE-2025-20362. Cisco Talos says the attackers used those n-day flaws to get in, then deployed FIRESTARTER to execute arbitrary code inside the LINA process, a core component of Cisco ASA and FTD appliances.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
This matters because the malware gives attackers remote control inside a critical network security product. Talos also says FIRESTARTER closely overlaps with RayInitiator Stage 3 shellcode, which adds weight to the view that this is part of a mature espionage playbook aimed at perimeter infrastructure rather than a quick smash-and-grab campaign.
How the Cisco FIRESTARTER attack works
Talos says FIRESTARTER embeds itself deep in the device and hijacks normal request handling inside the LINA process. The implant looks for specific WebVPN XML requests and, when it sees a custom prefix, executes the attached shellcode directly in memory. If the traffic does not match that pattern, it passes the request to the legitimate handler, which helps the malware stay hidden.
To persist on the box, the attackers manipulate Cisco Service Platform mount settings during a graceful reboot. Talos says the malware writes itself to a backup log location, updates the mount list so it can restore itself to /usr/bin/lina_cs, then removes traces after the reboot finishes.
That persistence method has one unusual weakness. Talos says the mechanism is transient and depends on reboot runlevels, so a hard reboot, such as fully disconnecting power, can remove the implant from the device. That does not replace broader cleanup, but it does give defenders a concrete containment detail.
What Cisco and CISA are saying
Cisco Talos is telling customers to follow Cisco’s security advisory, especially the software upgrade guidance for affected products. Talos also says impacted organizations can open a TAC case with Cisco for support and that reimaging affected devices mitigates FIRESTARTER infections across all affected devices.
On FTD systems that are not in lockdown mode, Talos says defenders also have another cleanup option: kill the lina_cs process and then reboot the device. That guidance comes directly from Cisco Talos and gives administrators a faster response path when a full reimage cannot happen immediately.
CISA has now elevated the incident as well. Its updated Emergency Directive 25-03 says CVE-2025-20333 enables remote code execution, CVE-2025-20362 enables privilege escalation, and the FIRESTARTER malware report provides more detail about the threat and response steps. CISA also published a separate alert warning that advanced persistent threat actors exploited the two flaws in Cisco ASA, including Firepower and Secure Firewall products.
At a glance
| Item | Details |
|---|---|
| Threat actor | UAT-4356 |
| Malware | FIRESTARTER |
| Targeted products | Cisco Firepower devices running FXOS, including ASA and FTD components |
| Exploited flaws | CVE-2025-20333 and CVE-2025-20362 |
| Main effect | Unauthorized access and arbitrary code execution inside LINA |
| Persistence method | CSP mount list manipulation during graceful reboot |
| Key cleanup note | Hard reboot can remove the transient implant |
| Detection rules | Snort 65340 and 46897 for the flaws, 62949 for FIRESTARTER |
Source basis: Cisco Talos, Cisco advisory references, and CISA updates.
Detection and mitigation steps
- Hunt for suspicious
lina_csprocess activity on the device. Talos specifically points defenders toshow kernel process | include lina_cs. - Check for the files
/usr/bin/lina_csand/opt/cisco/platform/logs/var/log/svc_samcore.log, which Talos says may indicate FIRESTARTER activity. - Reimage affected devices where possible. Talos says that mitigates FIRESTARTER on all affected devices.
- On FTD software outside lockdown mode, kill
lina_csand reboot as Cisco Talos recommends. - Apply Cisco’s recommended software upgrades for affected releases.
- Deploy Snort rules 65340 and 46897 for exploitation attempts and rule 62949 for FIRESTARTER activity. Talos also lists ClamAV signature
Unix.Malware.Generic-10059965-0.
FAQ
FIRESTARTER is a custom backdoor that Cisco Talos says UAT-4356 deployed on vulnerable Cisco Firepower devices after exploiting two known vulnerabilities. It allows remote access and arbitrary code execution inside the LINA process.
The campaign uses CVE-2025-20333 and CVE-2025-20362. CISA says the first allows remote code execution and the second allows privilege escalation.
Yes, but only for this specific transient persistence method. Cisco Talos says a hard reboot can effectively remove the implant because the persistence chain depends on a graceful reboot path.
Start with Cisco’s advisory guidance, hunt for the listed artifacts, apply upgrades, and treat any confirmed infection as a serious perimeter compromise. Talos says reimaging is the broadest mitigation, while CISA has also elevated the matter through Emergency Directive 25-03.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages