Back

UAT-4356 Exploits Cisco Firepower Devices with Persistent Backdoor Firestarter

Severity: High (Score: 78.0)

Sources: Cyberscoop, Gbhackers, censys.com, Blog.Talosintelligence, sec.cloudapps.cisco.com

Summary

UAT-4356, a state-sponsored hacking group, has been exploiting two n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) in Cisco Firepower devices to deploy a custom backdoor known as Firestarter. This backdoor allows attackers to maintain access to compromised devices even after firmware updates and standard reboots. The Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre have issued warnings following the discovery of Firestarter on U.S. federal agency devices. The malware manipulates the Cisco Service Platform mount list to ensure persistence, making it difficult to remove without a hard reboot. Cisco Talos has linked UAT-4356 to a previous espionage campaign named ArcaneDoor. Affected systems include Cisco's Adaptive Security Appliance and Firepower Threat Defense software. Security patches released in September 2025 were ineffective against this persistent threat, prompting urgent audits of Cisco firewall infrastructures across federal agencies. Key Points: • UAT-4356 exploits CVE-2025-20333 and CVE-2025-20362 to deploy Firestarter backdoor. • Firestarter maintains persistence through manipulation of Cisco Service Platform mount list. • CISA has mandated audits of Cisco firewalls across federal agencies due to this threat.

Key Entities

  • Malware (attack_type)
  • ArcaneDoor (apt_group)
  • Cisco (company)
  • Cybersecurity and Infrastructure Security Agency (company)
  • National Cyber Security Centre (company)
  • Talos (company)
  • China (country)
  • CVE-2025-20333 (cve)
  • CVE-2025-20362 (cve)
  • CWE-287 - Improper Authentication (cwe)
  • Government (industry)
  • Firestarter (malware)
  • LINE VIPER (malware)
  • RayInitiator (malware)
  • T1055 - Process Injection (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • T1547 - Boot Or Logon Autostart Execution (mitre_attack)
  • Cisco Adaptive Security Appliance (platform)
  • Cisco Firepower (platform)
  • Cisco Firepower FXOS (platform)
  • Firepower Threat Defense (platform)
  • FXOS (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed