UAT-4356, FIRESTARTER, and the Cisco Firepower WebVPN Attack Chain

ninp0
7 days ago
5 min read

ABSTRACT

Cisco Talos disclosed on April 23, 2026 that UAT-4356 continues to actively target Cisco Firepower devices by abusing CVE-2025-20333 and CVE-2025-20362, then deploying the FIRESTARTER backdoor.

For defenders, the headline risk is not just initial intrusion. Cisco, Talos, and CISA all indicate that organizations may still be exposed after applying the original CVE patches if the actor implanted FIRESTARTER before remediation. That makes this campaign materially more dangerous than a one-time WebVPN bug: it is an intrusion set with a persistence playbook.

EXECUTIVE SUMMARY

Cisco describes CVE-2025-20333 as a critical remote code execution issue in the VPN web server of Cisco Secure Firewall ASA and FTD software. Cisco and public CVE/NVD references assign it a CVSS 9.9 score. The companion issue, CVE-2025-20362, is publicly described by Cisco as an unauthenticated access flaw for restricted remote access VPN endpoints and scored 6.5. Talos states UAT-4356 exploited both n-days in the wild to gain unauthorized access to vulnerable devices.

CISA’s updated V1 Emergency Directive 25-03 raises the operational stakes further: agencies are directed not only to patch, but also to perform core-dump hunting, apply the persistence-focused fixes, and conduct a hard reset because an ordinary reboot is not sufficient to expunge the malware. In practice, that means defenders should treat patching as necessary but not sufficient.

AFFECTED CONDITIONS

Public-facing Cisco Secure Firewall ASA or Cisco Secure FTD devices with VPN web services exposed are in scope for the original WebVPN vulnerabilities.
Cisco’s vulnerable configurations include SSL VPN (webvpn enable), AnyConnect IKEv2 remote access with client services, and Mobile User Security features that create the relevant SSL listen sockets.
Cisco’s event-response note says successful compromise in this campaign was observed on older ASA 5500-X models running 9.12 or 9.14 without Secure Boot and Trust Anchor protections.
CISA’s April 23, 2026 update expands hunting and remediation expectations to Firepower and Secure Firewall device families because FIRESTARTER persistence can survive post-patch if the device was compromised beforehand.

ATTACK CHAIN AND PERSISTENCE

The public vendor descriptions line up into a practical attack story. CVE-2025-20362 allows crafted HTTP requests to reach restricted WebVPN-related endpoints without authentication. CVE-2025-20333 then turns trusted or reachable VPN web functionality into root-level code execution on affected devices. Talos attributes the in-the-wild chaining of these bugs to UAT-4356.

Once on the device, FIRESTARTER hooks the LINA process, replaces a WebVPN-related handler, and parses XML-style request data for custom markers before executing in-memory shellcode. Talos and CISA both describe persistence that relies on manipulating CSP_MOUNT_LIST, storing copies of the implant as /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log, and re-establishing execution during graceful reboot paths. That is why hard power removal, reimage, or both become part of eviction guidance.

Cisco’s event-response documentation also notes a later attack variant that can trigger unexpected reloads on unpatched devices, creating an additional availability risk on top of confidentiality and integrity compromise. For operators running perimeter VPN services, that means this is both a breach and outage scenario.

BUSINESS IMPACT

Perimeter trust collapse: a compromised firewall can expose VPN sessions, policy decisions, traffic visibility, and control-plane access far beyond a single application bug.
Credential and secret exposure: CISA states actors using related tradecraft gained access to administrative credentials, certificates, and private keys stored on victim devices.
Post-patch residual risk: organizations that only installed the original CVE fixes may still harbor FIRESTARTER if the device was infected before remediation.
Operational disruption: Cisco observed a later attack variant capable of crashing or reloading unpatched devices, turning incident response into a business continuity event.

PUBLIC POC AND VALIDATION REFERENCES

At publication time, broad public weaponized exploit repositories for this Cisco activity appear limited. However, defenders do have concrete public validation and detection artifacts they can operationalize immediately:

ProjectDiscovery nuclei template for CVE-2025-20362 (auth-bypass validation logic): https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2025/CVE-2025-20362.yaml
SigmaHQ proxy rule for suspicious Cisco ASA exploitation activity tied to CVE-2025-20333 and CVE-2025-20362: https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules-emerging-threats/2025/Exploits/CVE-2025-20333/proxy_exploit_cve_2025_20333.yml
Cisco Talos states Snort rules 65340 and 46897 cover the CVE exploitation path and rule 62949 covers FIRESTARTER behavior: https://blog.talosintelligence.com/uat-4356-firestarter/
CISA’s FIRESTARTER malware analysis report provides YARA-driven detection guidance, malware functionality, and incident-response context: https://www.cisa.gov/news-events/analysis-reports/ar26-113a

ORIGINAL LAB-ONLY POC A: SAFE CVE-2025-20362 EXPOSURE CHECK

The following 0day Inc lab probe is intentionally defensive. It is derived from the public response markers used in the nuclei template and only checks whether a restricted WebVPN endpoint can be reached without authentication. Use it only against systems you own or are explicitly authorized to test.

import requests, sys, urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

base = sys.argv[1].rstrip("/")
url = base + "/+CSCOU+//../+CSCOE+/files/file_action.html?mode=upload&path=foo&server=srv&sourceurl=qaz"
headers = {"Content-Type": "application/x-www-form-urlencoded; boundary=ee"}
resp = requests.post(url, headers=headers, data="aabbccdd", verify=False, timeout=15)

if resp.status_code == 200 and "CSRF token mismatch" in resp.text and "Failed to upload file" in resp.text:
    print("[+] Restricted WebVPN endpoint reachable without authentication; investigate immediately.")
else:
    print(f"[-] Probe did not reproduce the known bypass signal (status={resp.status_code}).")

Interpretation: a 200 response that also contains both “CSRF token mismatch” and “Failed to upload file” suggests the restricted endpoint was reached without prior authentication, which is consistent with the public CVE-2025-20362 validation pattern. Treat any positive result as a trigger to isolate the asset, patch, and hunt for persistence rather than as permission to escalate testing.

ORIGINAL LAB-ONLY POC B: FIRESTARTER PERSISTENCE TRIAGE

The second 0day Inc PoC is a safe artifact-hunt script for a mounted disk image or offline forensic copy of an affected device. It looks for the filenames and mount-list artifacts Talos and CISA called out publicly.

#!/usr/bin/env bash
set -euo pipefail
ROOT="${1:-/mnt/firepower}"

hits=(
  "$ROOT/usr/bin/lina_cs"
  "$ROOT/opt/cisco/platform/logs/var/log/svc_samcore.log"
  "$ROOT/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST"
)

for hit in "${hits[@]}"; do
  [ -e "$hit" ] && echo "[HIT] $hit"
done

strings "$ROOT/opt/cisco/config/platform/rmdb/CSP_MOUNT_LIST" 2>/dev/null | grep -E "lina_cs|svc_samcore|CSP_MOUNT_LIST.tmp" || true

Interpretation: any hit on lina_cs, svc_samcore.log, or suspicious CSP_MOUNT_LIST contents should be treated as an immediate incident-response escalation point. A clean result is not proof of safety, but a positive result is highly actionable because it aligns with public FIRESTARTER persistence details.

MITIGATION PRIORITIES

Identify every internet-facing ASA, FTD, Firepower, and Secure Firewall platform running vulnerable WebVPN-capable software.
Collect core dumps or equivalent forensic artifacts before eviction when your response plan allows it, following CISA ED 25-03 guidance.
Apply the original CVE fixes for CVE-2025-20333 and CVE-2025-20362 and the newer persistence-focused fixed releases or hotfixes Cisco published for FIRESTARTER-related remediation.
Perform the vendor-recommended hard reset or full reimage path where applicable; do not assume a normal reboot removes the implant.
If compromise is suspected, treat the full device configuration as untrusted and rotate passwords, certificates, keys, and any downstream secrets exposed to the appliance.

REFERENCES

Cisco Talos: UAT-4356's Targeting of Cisco Firepower Devices — https://blog.talosintelligence.com/uat-4356-firestarter/
Cisco Advisory: CVE-2025-20333 — https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
Cisco Advisory: CVE-2025-20362 — https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
Cisco Event Response: Continued Attacks Against Cisco Firewalls — https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
Cisco Persistence Advisory / fixed-release guidance — https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03
CISA MAR: FIRESTARTER Backdoor — https://www.cisa.gov/news-events/analysis-reports/ar26-113a
CISA V1 ED 25-03 — https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
ProjectDiscovery nuclei template — https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2025/CVE-2025-20362.yaml
SigmaHQ exploitation rule — https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules-emerging-threats/2025/Exploits/CVE-2025-20333/proxy_exploit_cve_2025_20333.yml

Bottom line: the April 23 Cisco/FIRESTARTER item deserves priority because it is not merely another perimeter CVE. It is an actively exploited campaign against security infrastructure where patch status, persistence hunting, power-cycle discipline, and credential rotation all matter at the same time.