Zum Inhalt springen
Auto-CTI
Zurück zu allen Deep Dives
CISCO TALOS BLOG

UAT-4356's Targeting of Cisco Firepower Devices

KEV CRITICAL Cisco UAT-4356 CVE-2025-20333 CVE-2025-20362 UAT-4356 Firepower

Strategische Zusammenfassung

UAT-4356 entwickelt Techniken zur Persistierung in kritischen Netzwerk-Geräten; Fertigungsunternehmen sollten ähnliche APT-Techniken gegen ihre Firewall-Infrastruktur (Fortinet, Cisco) monitoren.

Relevanz für dich

UAT-4356 is actively exploiting two zero-day vulnerabilities in Cisco Firepower devices to deploy the FIRESTARTER backdoor, indicating a targeted campaign against network security appliances.

Volltext

  • Security Resources - [x]

Thursday, April 23, 2026 11:10

Customers are advised to refer to Cisco’s Security Advisory for mitigation and detection guidance, indicators of compromise (IOCs), affected products, and applicable software upgrade recommendations.

UAT-4356 established persistence for FIRESTARTER on compromised devices by manipulating the mount list for Cisco Service Platform (CSP), namely “CSP_MOUNT_LIST”, to execute FIRESTARTER. The mount list allows programs and commands to be executed as part of the device’s boot sequence. The persistence mechanism triggers during graceful reboot (i.e., when a process termination signal is received). FIRESTARTER also checks the runlevel for value 6 (indicating device reboot) and in case of a match, writes itself to backup location “/opt/cisco/platform/logs/var/log/svc_samcore.log" and updates the CSP_MOUNT_LIST to copy itself back to “/usr/bin/lina_cs” and then be executed. When FIRESTARTER runs after a reboot, it restores the original CSP_MOUNT_LIST and removes the trojanized copy. Because the runlevel triggers establishment of this transient persistence mechanism, a hard reboot (for example, after the device has been unplugged from power) effectively removes the implant from the device.

  • * ###### Security Resources
  • * ###### Media
  • * ###### Support
  • * ###### Company

Erwähnte CVEs

Risk Score

100
cvss base
99.00
kev bonus
20.00
epss bonus
0.00
poc bonus
0.00
raw before weight
119.00
industry weight
1.56
freshness factor
1.00
days old
0.00

Pfad: operational

MITRE ATT&CK Mapping

4 TTPs
Recon
Resource Dev
Initial Access
T1190 Exploit Public-Facing Application
Execution
Persistence
T1505.003 Web Shell T1133 External Remote Services
Priv. Escal.
Def. Evasion
T1542.004 ROMMONkit
Cred. Access
Discovery
Lateral Mov.
Collection
C2
Exfiltration
Impact
Conf.: high medium low

Procedure-Details

Technik Tactic Procedure Conf. Quelle
T1190
Exploit Public-Facing Application
 Initial Access UAT-4356 exploited CVE-2025-20333 and CVE-2025-20362 vulnerabilities in Cisco Firepower devices to gain initial access to targeted networks high llm
T1505.003
Web Shell
 Persistence UAT-4356 deployed the FIRESTARTER backdoor malware on compromised Cisco Firepower devices to maintain persistent access, as documented in CISA's malware analysis report high llm
T1542.004
ROMMONkit
 Defense Evasion UAT-4356 targeted Cisco network devices (Firepower) to implant persistent malware leveraging device firmware-level persistence mechanisms, consistent with the FIRESTARTER backdoor deployment on network appliances medium llm
T1133
External Remote Services
 Persistence UAT-4356 targeted Cisco Firepower edge devices which function as external-facing network security appliances, exploiting their internet-exposed management interfaces to maintain persistent footholds medium llm
ESC