State-linked UAT-4356 injects FIRESTARTER into Cisco FXOS
Cisco Talos reported UAT-4356 exploited CVE-2025-20333 and CVE-2025-20362 to deploy a FIRESTARTER backdoor that injects code into the LINA process on Firepower FXOS devices.
On April 23, 2026 Cisco Talos reported that a state-linked actor identified as UAT-4356 exploited two known FXOS vulnerabilities, CVE-2025-20333 and CVE-2025-20362, to install a backdoor called FIRESTARTER on Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS).
FIRESTARTER injects code into the LINA process, a core component of ASA and FTD appliances, and replaces a legitimate XML handler with a malicious routine. The routine checks incoming WebVPN XML requests for a specific prefix; when the prefix is present the following payload is executed directly in memory as shellcode.
The implant establishes transient persistence by modifying the Cisco Service Platform mount list entry CSP_MOUNT_LIST to arrange execution during graceful reboots. On detecting runlevel 6, FIRESTARTER copies itself to /opt/cisco/platform/logs/var/log/svc_samcore.log, updates the mount list to recreate /usr/bin/lina_cs at boot, then runs. After activation the implant restores the original mount list and deletes the trojanized files, so a hard power-cycle that bypasses the graceful reboot path can remove the implant from disk.
During injection the tool searches LINA process memory for a specific byte sequence and an executable memory range belonging to libstdc++.so. It writes a Stage 2 payload to the last 0x200 bytes of that region and overwrites an internal pointer so the authentication API’s XML handler dispatches to the malicious code. If the required markers are absent the request is handled normally.
Cisco Talos provided detection guidance that notes two brittle but practical indicators: files named /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log and any output from the command show kernel process | include lina_cs. The Talos advisory also points to a Cisco security advisory and CISA’s update to Emergency Directive 25-03 for fuller indicators of compromise, mitigation steps and software upgrade recommendations.
Remediation options include applying Cisco’s recommended software updates, opening a TAC request for affected customers, or reimaging infected devices to remove FIRESTARTER. On FTD devices not in lockdown mode administrators can terminate the lina_cs process and reboot to clear the transient implant. Signature-based detections are available: Snort rules covering CVE-2025-20333 and CVE-2025-20362 are 65340 and 46897, a FIRESTARTER rule is 62949, and ClamAV detects the malware as Unix.Malware.Generic-10059965-0.
Talos previously linked UAT-4356 to the ArcaneDoor campaign in early 2024 and noted technical overlaps between FIRESTARTER and artifacts associated with the RayInitiator toolset.
