Critical Threat Research : The Iranian Cyber War Intensifies!
Comprehensive Threat Exposure Management Platform
The UAT-4356 threat actor (also known as Storm-1849 and the operator behind the ArcaneDoor campaign) has deployed a sophisticated persistence backdoor called FIRESTARTER that targets Cisco Adaptive Security Appliance (ASA) Software, Cisco Firepower Threat Defense (FTD) Software, and Cisco Firepower eXtensible Operating System (FXOS) across government, critical infrastructure, and telecommunications organizations worldwide. First observed in September 2025 with active exploitation commencing in March 2026, the FIRESTARTER backdoor campaign represents a critical evolution in network appliance compromise techniques, as the malware survives firmware updates, security patches, and graceful reboots on compromised Cisco firewall devices.
UAT-4356 actors exploited two zero-day vulnerabilities, CVE-2025-20333 (Cisco Secure Firewall buffer overflow vulnerability) and CVE-2025-20362 (Cisco Secure Firewall missing authorization vulnerability), in the VPN web server of Cisco Secure Firewall ASA and FTD software to gain unauthenticated remote access and remote code execution as root on internet-facing devices. After initial compromise through these FIRESTARTER vulnerabilities, the UAT-4356 actors deployed the LINE VIPER user-mode shellcode loader to establish illegitimate VPN sessions and harvest device configuration, administrative credentials, certificates, and private keys from compromised Cisco firewalls.
Subsequently, UAT-4356 implanted FIRESTARTER, a Linux ELF backdoor that hooks into the LINA process on the Cisco firewall and modifies the Cisco Service Platform mount list (CSP_MOUNT_LIST) to maintain persistence across reboots and firmware upgrades. Critically, FIRESTARTER backdoor survives firmware updates, security patches, and graceful reboots, allowing the UAT-4356 threat actor to retain access to compromised Cisco devices long after remediation actions are taken. The FIRESTARTER persistence mechanism intercepts graceful shutdown signals, copies itself to a secondary location, rewrites the Cisco Service Platform mount list to ensure re-execution on next boot, then restores the original mount list after boot, leaving minimal forensic trace and enabling indefinite access to patched devices.
FIRESTARTER backdoor operates in a dormant state, generating no outbound traffic, no log events, and no behavioral anomalies until activated by a crafted WebVPN authentication request containing a “magic packet” payload with embedded XML-based shellcode. This activation mechanism requires no re-exploitation of any CVE, meaning a fully patched Cisco device compromised before the patch window remains accessible indefinitely to UAT-4356 actors. Confirmed dwell time at one breached organization exceeded six months, and CISA issued advisory AR26-113A warning that patching is now necessary but insufficient, requiring forensic hunting and complete device reimaging to evict the UAT-4356 threat actor from compromised Cisco firewall infrastructure.
UAT-4356 Threat Actor and FIRESTARTER Campaign Origins
A sophisticated state-sponsored threat actor tracked as UAT-4356, also known as Storm-1849 and the operator behind the ArcaneDoor campaign, has returned with an evolved attack chain targeting Cisco Secure Firewall ASA, Firepower Threat Defense, and Firepower platforms globally. The UAT-4356 threat actor specializes in long-term compromise of internet-facing perimeter devices for espionage purposes, exploiting the limited visibility and infrequent patching cycles typical of network appliances to maintain persistent access.
The 2026 FIRESTARTER campaign evolution introduces a previously undocumented backdoor named FIRESTARTER, which materially changes the threat landscape for any organization that operated exposed Cisco firewall infrastructure prior to September 2025. The FIRESTARTER backdoor represents a significant advancement in persistence techniques, as it survives standard remediation procedures including firmware updates and security patches that would typically eliminate malware from compromised network devices.
FIRESTARTER Initial Access Through CVE-2025-20333 and CVE-2025-20362
The FIRESTARTER attack chain begins with chained exploitation of CVE-2025-20333 (buffer overflow vulnerability) and CVE-2025-20362 (missing authorization vulnerability) against internet-facing WebVPN interfaces on Cisco Secure Firewall ASA and FTD devices, yielding unauthenticated remote code execution as root. These FIRESTARTER initial access vulnerabilities were zero-day vulnerabilities at the time of exploitation and have since been added to the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation by UAT-4356 threat actors in the wild.
Following successful exploitation of the FIRESTARTER initial access vulnerabilities, the UAT-4356 actor deploys LINE VIPER, a user-mode shellcode loader providing command execution capabilities, packet capture functionality, credential theft, and bypass of authentication, authorization, and accounting policies on compromised Cisco devices. On legacy Cisco devices, RayInitiator bootkit malware is additionally deployed by UAT-4356 as a supplementary persistence mechanism. Across all supported Cisco platforms, FIRESTARTER backdoor is dropped as the primary persistence implant following LINE VIPER deployment.
FIRESTARTER Persistence Mechanism and CSP_MOUNT_LIST Modification
FIRESTARTER is a Linux ELF binary that hooks the LINA process on Cisco firewalls to establish persistence. During graceful shutdown of the compromised Cisco device, FIRESTARTER intercepts the termination signal, copies itself to a secondary location on the device filesystem, and rewrites the Cisco Service Platform mount list (CSP_MOUNT_LIST) located at /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST to ensure re-execution on next boot. After the Cisco device boots, FIRESTARTER restores the original mount list configuration, leaving minimal forensic trace of the persistence mechanism.
This FIRESTARTER persistence routine survives reboots, reload commands, and firmware upgrades on Cisco ASA and FTD devices. Only a hard power cycle interrupts the FIRESTARTER persistence mechanism, and even that is not a recommended remediation approach due to data corruption risks on Cisco firewall devices. The FIRESTARTER persistence technique exploits the Cisco Service Platform architecture to maintain presence across software upgrades that would typically eliminate malware from network appliances.
FIRESTARTER Dormant Operation and Magic Packet Activation
Once installed on a compromised Cisco device, FIRESTARTER backdoor lies dormant, generating no outbound traffic, no log events, and no behavioral anomalies that would alert security monitoring systems to the compromise. FIRESTARTER waits for a crafted WebVPN authentication request containing a “magic packet” payload, then parses an embedded XML-based shellcode and executes the UAT-4356 operator’s payload, typically redeploying LINE VIPER for hands-on-keyboard operations.
Critically, this FIRESTARTER re-entry path requires no re-exploitation of any CVE vulnerability: a fully patched Cisco device compromised before the patch window remains accessible indefinitely to UAT-4356 actors through the FIRESTARTER magic packet activation mechanism. Confirmed dwell time at one breached organization exceeded six months, demonstrating the long-term persistence capabilities of FIRESTARTER backdoor on Cisco firewall infrastructure. Patching CVE-2025-20333 and CVE-2025-20362 is now necessary but insufficient to evict UAT-4356 from compromised environments; forensic hunting and complete device reimaging are required to fully remove FIRESTARTER backdoor.
Apply Cisco Fixed Software Releases for ASA and FTD
Upgrade all Cisco Secure Firewall ASA and FTD devices to the fixed software releases listed in Cisco’s security advisory for CVE-2025-20333 and CVE-2025-20362 to close the initial access vulnerabilities exploited by UAT-4356 actors to deploy FIRESTARTER backdoor. Devices that are not yet patched, or that were updated to a still-vulnerable software version, must be moved to the explicitly listed fixed releases in the Cisco security advisory to prevent new FIRESTARTER compromises.
Reimage Devices to Remove FIRESTARTER
It is strongly recommended that organizations reimage and upgrade any Cisco device suspected of compromise by FIRESTARTER backdoor. Reimaging is the only fully reliable method to remove the FIRESTARTER persistence mechanism on confirmed-compromised devices, and Cisco recommends reimaging for both compromised and non-compromised cases where devices were exposed to the internet during the vulnerability window. Standard patching and firmware upgrades will not remove FIRESTARTER backdoor from devices compromised prior to patch application.
Hard-Power-Cycle Compromised Devices When Reimage Is Not Immediately Possible
Physically unplug the affected Cisco device from all power sources (including redundant power supplies) for at least one minute to interrupt FIRESTARTER persistence. The shutdown, reboot, and reload CLI commands will not clear the in-memory FIRESTARTER implant — only complete power loss will interrupt the backdoor. This hard power cycle is a temporary mitigation; complete device reimaging must still follow to fully remove FIRESTARTER backdoor from compromised Cisco infrastructure.
Hunt for FIRESTARTER on Cisco ASA and Firepower Devices
Run show kernel process | include lina_cs on every Cisco ASA, Firepower, and Secure Firewall device in the environment. Any output from this command should be treated as a confirmed FIRESTARTER compromise. Also inspect the Cisco device disk for the files /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log, noting that UAT-4356 attackers can rename these FIRESTARTER artifacts to evade detection. Organizations should hunt for modifications to /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST and /opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST.tmp as indicators of FIRESTARTER persistence mechanism deployment.
Initial Access
Defense Evasion
Persistence
Discovery
Credential Access
Command and Control
Execution
Collection
File Paths
Detection Command
show kernel process | include lina_cs (Any output indicates confirmed compromise)https://www.cisa.gov/news-events/analysis-reports/ar26-113a
https://blog.talosintelligence.com/uat-4356-firestarter/
https://www.ncsc.govt.nz/alerts/firestarter-malware-affecting-cisco-asa-and-ftd/
Get through updates and upcoming events, and more directly in your inbox