Cisco SD-WAN Vulnerability Exploitation Continues

Executive Summary: Cisco Talos has released a new threat report on the ongoing exploitation of Cisco Catalyst SD‑WAN vulnerabilities, focusing on the UAT‑4356 actor group. The report details how the group leverages two n‑day CVEs (CVE‑2025‑20333 and CVE‑2025‑20362) to compromise Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). The compromised devices are then instrumented with a custom backdoor named FIRESTARTER, which provides the attacker with persistent, remote code execution capabilities inside the core LINA process.

Threat Actor: UAT‑4356 is a state‑sponsored campaign that has been active since early 2024. It is closely linked to the ArcaneDoor espionage operation and is known for targeting perimeter network devices to exfiltrate sensitive information. The group is adept at exploiting zero‑day and low‑severity vulnerabilities to gain footholds in corporate networks.

Vulnerabilities Exploited: The report highlights two specific CVEs that allow unauthenticated remote code execution in Cisco’s WebVPN service:

  • CVE‑2025‑20333 – A buffer overflow in the WebVPN XML parsing routine that can be triggered via a crafted request.
  • CVE‑2025‑20362 – A similar overflow that is triggered by malformed XML payloads targeting the same code path.

Backdoor Mechanics – FIRESTARTER: The backdoor follows a three‑stage architecture that closely mirrors the RayInitiator Stage 3 shellcode. Its primary functions are:

  • Persistence – FIRESTARTER manipulates the CSP_MOUNT_LIST to ensure execution on boot. It writes a temporary copy of itself to /opt/cisco/platform/logs/var/log/svc_samcore.log and updates the mount list to copy itself to /usr/bin/lina_cs during a graceful reboot. A hard reboot removes the implant, but the actor can re‑infect the device.
  • Injection – The backdoor scans the LINA process memory for specific byte patterns (0x1, 0x2, 0x3, 0x4, 0x5). Once located, it identifies an r‑xp region containing libstdc++.so and copies the Stage 2 shellcode into the last 0x200 bytes of that region.
  • Execution – The injected shellcode replaces the legitimate WebVPN XML handler pointer. When a WebVPN request containing a magic prefix arrives, the shellcode parses the payload and executes any arbitrary code embedded after the prefix. This allows the attacker to run any shellcode received over the network.

Detection Indicators: Analysts should look for the following artifacts, which serve as low‑level indicators of compromise (IOCs):

<

ul>

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading