Executive Summary: Cisco Talos has released a new threat report on the ongoing exploitation of Cisco Catalyst SD‑WAN vulnerabilities, focusing on the UAT‑4356 actor group. The report details how the group leverages two n‑day CVEs (CVE‑2025‑20333 and CVE‑2025‑20362) to compromise Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). The compromised devices are then instrumented with a custom backdoor named FIRESTARTER, which provides the attacker with persistent, remote code execution capabilities inside the core LINA process.
Threat Actor: UAT‑4356 is a state‑sponsored campaign that has been active since early 2024. It is closely linked to the ArcaneDoor espionage operation and is known for targeting perimeter network devices to exfiltrate sensitive information. The group is adept at exploiting zero‑day and low‑severity vulnerabilities to gain footholds in corporate networks.
Vulnerabilities Exploited: The report highlights two specific CVEs that allow unauthenticated remote code execution in Cisco’s WebVPN service:
- CVE‑2025‑20333 – A buffer overflow in the WebVPN XML parsing routine that can be triggered via a crafted request.
- CVE‑2025‑20362 – A similar overflow that is triggered by malformed XML payloads targeting the same code path.
Backdoor Mechanics – FIRESTARTER: The backdoor follows a three‑stage architecture that closely mirrors the RayInitiator Stage 3 shellcode. Its primary functions are:
- Persistence – FIRESTARTER manipulates the
CSP_MOUNT_LISTto ensure execution on boot. It writes a temporary copy of itself to/opt/cisco/platform/logs/var/log/svc_samcore.logand updates the mount list to copy itself to/usr/bin/lina_csduring a graceful reboot. A hard reboot removes the implant, but the actor can re‑infect the device. - Injection – The backdoor scans the
LINAprocess memory for specific byte patterns (0x1, 0x2, 0x3, 0x4, 0x5). Once located, it identifies anr‑xpregion containinglibstdc++.soand copies the Stage 2 shellcode into the last 0x200 bytes of that region. - Execution – The injected shellcode replaces the legitimate WebVPN XML handler pointer. When a WebVPN request containing a magic prefix arrives, the shellcode parses the payload and executes any arbitrary code embedded after the prefix. This allows the attacker to run any shellcode received over the network.
Detection Indicators: Analysts should look for the following artifacts, which serve as low‑level indicators of compromise (IOCs):
<
ul>

