FIRESTARTER backdoor hits Cisco Firepower via FXOS n-day
UAT-4356 exploited FXOS n-day flaws CVE-2025-20333 and CVE-2025-20362 to install the FIRESTARTER backdoor in the LINA process on Cisco Firepower ASA and FTD devices.
Cisco Talos reported on April 23, 2026 that the actor tracked as UAT-4356 exploited two FXOS n-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, to gain access to Cisco Firepower appliances and deploy a backdoor named FIRESTARTER. The implant runs inside the LINA process on ASA and FTD devices and provides remote code execution and persistent access.
FIRESTARTER injects into LINA and replaces a WebVPN XML handler with a routine that inspects incoming authentication requests for a specific byte-pattern prefix. When the prefix is present, the routine executes shellcode embedded in the XML payload. The loader scans process memory for specific markers and locates an “r-xp” memory range for libstdc++.so, writes a Stage 2 shellcode payload into the last 0x200 bytes of that region, and redirects a legitimate handler pointer to run the malicious code during normal request processing.
The implant establishes transient persistence by modifying the Cisco Service Platform mount list entry CSP_MOUNT_LIST. During a graceful reboot or when the system runlevel indicates a reboot (runlevel 6), FIRESTARTER copies itself to /opt/cisco/platform/logs/var/log/svc_samcore.log, updates CSP_MOUNT_LIST to copy the file back to /usr/bin/lina_cs and execute it, then restores the original mount list and removes the trojan copy after activation. Because persistence depends on the graceful-reboot trigger, a hard power-cycle or full reimage removes the implant.
Detection guidance points to the filenames /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log and to process listings that include a lina_cs entry. Administrators can run show kernel process | include lina_cs to check for a running implant. Cisco’s advisory and CISA’s update to Emergency Directive ED 25-03 list fuller indicators of compromise and detection steps.
Cisco Talos recommends following Cisco’s software upgrade and patch guidance for CVE-2025-20333 and CVE-2025-20362 and opening a TAC request if compromise is suspected. A full reimage will mitigate an infection. On FTD appliances not in lockdown mode, operators can kill the lina_cs process and reload the device using the commands: expert $ sudo kill -9 $(pidof lina_cs) $ exit $ reload. Open-source Snort rule updates cover the CVEs (rules 65340 and 46897) and rule 62949 addresses FIRESTARTER activity; ClamAV signatures such as Unix.Malware.Generic-10059965-0 detect related files.
Talos noted that FIRESTARTER’s loading methods, XML parsing, handler replacement and final payload execution overlap with behaviors observed in RayInitiator’s Stage 3 shellcode. Talos previously linked a state-sponsored campaign called ArcaneDoor to UAT-4356 in early 2024.
