On April 23, 2026, Cisco and CISA jointly disclosed that UAT-4356 has developed a previously unknown persistence mechanism embedded in the Cisco Firepower eXtensible Operating System (FXOS) – one that survives software upgrades to the fixed releases published in September 2025.
Severity: Critical
Exploited Vulnerabilities (Initial Access)
| CVE | Description | Impact |
| CVE-2025-20333 | VPN Web Server Remote Code Execution | Remote code execution |
| CVE-2025-20362 | VPN Web Server Unauthorized Access | Privilege escalation |
Both were exploited as n-day vulnerabilities against devices that had not yet patched to the September 2025 fixed releases.
Malware: Firestarter Backdoor
- Deployment: Injected into LINA -the core process of Cisco ASA/FTD appliances running FXOS.
- Persistence Mechanism:
- Manipulates Cisco Service Platform’s CSP_MOUNT_LIST to execute FIRESTARTER during device boot sequences
- Triggers on graceful reboot (runlevel 6); writes itself to /opt/cisco/platform/logs/var/log/svc_samcore.log and re-registers in CSP_MOUNT_LIST to copy back to /usr/bin/lina_cs
- On re-injection into LINA, cleans up traces by restoring the original CSP_MOUNT_LIST and removing files from disk
- Survives software upgrades and standard reboots; only a hard power cycle (cold restart) removes it temporarily
- Backdoor Capabilities:
- Executes arbitrary shellcode delivered via crafted WebVPN request XML
- Replaces a legitimate LINA handler function with a malicious one using a hardcoded memory offset
- Checks incoming traffic for custom magic bytes/prefix; if matched, executes embedded shellcode in memory; otherwise passes traffic to the original handler (covert operation)
- Significant technical overlap with RayInitiator’s Stage 3 shellcode
Affected Platforms
- Vulnerable (regardless of configuration):
- Firepower 1000, 2100, 4100, 9300 Series
- Secure Firewall 1200, 3100, 4200 Series
- Not Affected:
- ASA 5500-X Series, Secure Firewall 200/6100 Series, ASA Virtual, ISA3000, FTD Virtual
Indicators Of Compromise (Ioc)
| Process Check (Primary IoC): | Files on Disk: |
| ->show kernel process | include lina_cs | /usr/bin/lina_cs |
| Any output = device compromised | /opt/cisco/platform/logs/var/log/svc_samcore.log |
Recommendations
- Identify every Cisco Firepower and Secure Firewall device in your environment- specifically Firepower 1000, 2100, 4100, 9300 and Secure Firewall 1200, 3100, 4200 Series
- On the affected devices, patching alone does not remove the FIRESTARTER implant. Reimaging is mandatory for confirmed compromised devices. Then upgrade to the appropriate fixed release.
- On Cisco FTD software that is not in lockdown mode, kill lina_cs process (sudo kill -9 $(pidof lina_cs)), then reload.
- On every affected ASA and FTD device, check for the presence of above-mentioned IOCs.
If compromise is confirmed – keep device powered on, disconnect from network immediately, and engage IR/forensics. - Temporary mitigation until reimaging can be performed:
Physically unplug the device’s power supply (cold restart)
Do not use shutdown, reboot, or reload CLI commands, as these are insufficient
Note: Disconnecting device power risks disk/database corruption — reimage is strongly preferred if a compromise is suspected.
Source:
- https://blog.talosintelligence.com/uat-4356-firestarter/
- https://www.cisa.gov/news-events/analysis-reports/ar26-113a
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03
- https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.