UAT-4356's Targeting of Cisco Firepower Devices

Title: UAT-4356's Targeting of Cisco Firepower Devices

URL Source: https://blog.talosintelligence.com/uat-4356-firestarter/

Published Time: 2026-04-23T15:10:57.000Z

Markdown Content: # UAT-4356's Targeting of Cisco Firepower Devices

[Blog](https://blog.talosintelligence.com/)

- [x]

* [Intelligence Center](https://talosintelligence.com/reputation) - [x] * # [Intelligence Center](https://talosintelligence.com/reputation) * BACK * [Intelligence Search](https://talosintelligence.com/reputation_center) * [Email & Spam Trends](https://talosintelligence.com/reputation_center/email_rep)

* [Vulnerability Research](https://talosintelligence.com/vulnerability_info) - [x] * # [Vulnerability Research](https://talosintelligence.com/vulnerability_info) * BACK * [Vulnerability Reports](https://talosintelligence.com/vulnerability_reports) * [Microsoft Advisories](https://talosintelligence.com/ms_advisories)

* [Incident Response](https://talosintelligence.com/incident_response) - [x] * # [Incident Response](https://blog.talosintelligence.com/incident_response) * BACK * [Reactive Services](https://talosintelligence.com/incident_response/services#reactive-services) * [Proactive Services](https://talosintelligence.com/incident_response/services#proactive-services) * [Emergency Support](https://talosintelligence.com/incident_response/contact)

* [Blog](https://blog.talosintelligence.com/) * [Support](https://support.talosintelligence.com/)

More

* Security Resources - [x]

# Security Resources

* BACK

Security Resources * [Open Source Security Tools](https://talosintelligence.com/software) * [Intelligence Categories Reference](https://talosintelligence.com/categories) * [Secure Endpoint Naming Reference](https://talosintelligence.com/secure-endpoint-naming)

* Media - [x]

# Media

* BACK

Media * [Talos Intelligence Blog](https://blog.talosintelligence.com/) * [Threat Source Newsletter](https://blog.talosintelligence.com/category/threat-source-newsletter/) * [Beers with Talos Podcast](https://talosintelligence.com/podcasts/shows/beers_with_talos) * [Talos Takes Podcast](https://talosintelligence.com/podcasts/shows/talos_takes) * [Talos Videos](https://www.youtube.com/channel/UCPZ1DtzQkStYBSG3GTNoyfg/featured)

* Company - [x]

# Company

* BACK

Company * [About Talos](https://talosintelligence.com/about) * [Careers](https://talosintelligence.com/careers)

# UAT-4356's Targeting of Cisco Firepower Devices

By [Cisco Talos](https://blog.talosintelligence.com/author/cisco/)

Thursday, April 23, 2026 11:10

[Threat Advisory](https://blog.talosintelligence.com/category/threat-advisory/)[Threats](https://blog.talosintelligence.com/category/threats/)[APT](https://blog.talosintelligence.com/category/apt/)

Cisco Talos is aware of [UAT-4356](https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/)'s continued [active targeting](https://cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices) of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS).

[… 5,981 Zeichen — nächste Zone: keyword-dense paragraphs …]

For more comprehensive detection guidance, please refer to [Cisco’s Security Advisory here](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03). Please also refer to CISA’s update to V1: [Emergency Directive (ED) 25-03](https://cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices): Identify and Mitigate Potential Compromise of Cisco Devices and [FIRESTARTER Backdoor Malware Analysis Report](https://www.cisa.gov/news-events/analysis-reports/ar26-113a) for more information and guidance.

Customers are advised to refer to [Cisco’s Security Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03) for mitigation and detection guidance, indicators of compromise (IOCs), affected products, and applicable software upgrade recommendations.

### [Active exploitation of Cisco Catalyst SD-WAN by UAT-8616 February 25, 2026 11:13 Cisco Talos is tracking the active exploitation of CVE-2026-20127, a vulnerability in Cisco Catalyst SD-WAN Controller, formerly vSmart, that allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges.](https://blog.talosintelligence.com/uat-8616-sd-wan/)

UAT-4356 established persistence for FIRESTARTER on compromised devices by manipulating the mount list for Cisco Service Platform (CSP), namely “CSP_MOUNT_LIST”, to execute FIRESTARTER. The mount list allows programs and commands to be executed as part of the device’s boot sequence. The persistence mechanism triggers during graceful reboot (i.e., when a process termination signal is received). FIRESTARTER also checks the runlevel for value 6 (indicating device reboot) and in case of a match, writes itself to backup location “/opt/cisco/platform/logs/var/log/svc_samcore.log" and updates the CSP_MOUNT_LIST to copy itself back to “/usr/bin/lina_cs” and then be executed. When FIRESTARTER runs after a reboot, it restores the original CSP_MOUNT_LIST and removes the trojanized copy. Because the runlevel triggers establishment of this transient persistence mechanism, a hard reboot (for example, after the device has been unplugged from power) effectively removes the implant from the device.

*

* [Reactive Services](https://talosintelligence.com/incident_response/services#reactive-services) * [Proactive Services](https://talosintelligence.com/incident_response/services#proactive-services) * [Emergency Support](https://talosintelligence.com/incident_response/contact)

* * ###### Security Resources

* [Open Source Security Tools](https://talosintelligence.com/software) * [Intelligence Categories Reference](https://talosintelligence.com/categories) * [Secure Endpoint Naming Reference](https://talosintelligence.com/secure-endpoint-naming)

* * ###### Media

* [Talos Intelligence Blog](https://blog.talosintelligence.com/) * [Threat Source Newsletter](https://blog.talosintelligence.com/category/threat-source-newsletter/) * [Beers with Talos Podcast](https://talosintelligence.com/podcasts/shows/beers_with_talos) * [Talos Takes Podcast](https://talosintelligence.com/podcasts/shows/talos_takes) * [Talos Videos](https://www.youtube.com/channel/UCPZ1DtzQkStYBSG3GTNoyfg/featured)

* * ###### Support

* [Support Documentation](https://support.talosintelligence.com/)

* * ###### Company

* [About Talos](https://talosintelligence.com/about) * [Careers](https://talosintelligence.com/careers) * [Cisco Security](https://www.cisco.com/c/en/us/products/security/product-listing.html)

###### Follow us

* * *

© Cisco Systems, Inc. and/or its affiliates. All rights reserved. View our [Privacy Policy.](http://www.cisco.com/web/siteassets/legal/privacy_full.html)