Arcane Door Reopened: The Cisco Firepower Backdoor That Only a Hard Reboot Can Kill

Cisco Talos has released a critical update on the threat actor known as UAT-4356 (also associated with the Arcane Door campaign), which is actively targeting Cisco Firepower devices. By exploiting a pair of vulnerabilities, this group is deploying a sophisticated custom backdoor named “FIRESTARTER” to gain deep, persistent access to core network infrastructure.

UAT-4356 is using highly effective exploits against known vulnerabilities in the VPN web servers of Cisco’s ASA and FTD software.

• CVE-2025-20333 (CVSS 9.9): A critical flaw that allows an authenticated attacker to execute arbitrary code as root, leading to a complete compromise of the device.
• CVE-2025-20362 (CVSS 6.5): A medium-severity vulnerability that allows unauthenticated attackers to bypass security and access restricted URL endpoints.

As the report notes: “UAT-4356 exploited n-day vulnerabilities… to gain unauthorized access to vulnerable devices, where the threat actor deployed their custom-built backdoor dubbed ‘FIRESTARTER.'”

Once the perimeter is breached, FIRESTARTER burrows into the LINA process, the heart of Cisco’s security appliances. The backdoor is designed to intercept and process incoming XML-based payloads, allowing the attackers to execute code directly in the device’s memory.

It replaces legitimate handler functions with malicious shellcode by searching for specific byte sequences in memory. When a standard WebVPN request comes in, FIRESTARTER scans it for “magic markers”. If found, the hidden payload is executed; if not, the request is passed along as if nothing happened, making detection incredibly difficult.

To stay on the device while avoiding a permanent digital footprint, UAT-4356 uses a clever manipulation of the Cisco Service Platform (CSP) mount list. By editing the CSP_MOUNT_LIST, the attackers ensure that FIRESTARTER re-installs itself every time the device undergoes a graceful reboot.

“UAT-4356 established persistence for FIRESTARTER on compromised devices by manipulating the mount list for Cisco Service Platform (CSP)… The mount list allows programs and commands to be executed as part of the device’s boot sequence,” the report explains.

Interestingly, this persistence is transient. Because it relies on the software-triggered reboot process, a hard reboot—literally pulling the power cord—effectively wipes the implant from the device.

Cisco Talos has previously linked UAT-4356 to Arcane Door, a state-sponsored espionage campaign. The overlap in technical capabilities between FIRESTARTER and other known tools like RayInitiator suggests a highly organized effort to maintain a foothold in global networks for intelligence gathering.