UAT-4356's Targeting of Cisco Firepower Devices

Cisco Talos documents active, state-linked exploitation of n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) in Cisco Firepower FXOS appliances by actor UAT-4356 to install the FIRESTARTER backdoor. The report details FIRESTARTER's persistence method, injection of stage shellcode into the LINA process, XML-based activation, IOCs (filenames and commands), and recommended mitigations including vendor patches, device reimaging, and detection signatures.