{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/asa/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-33018"},{"cvss":7.1,"id":"CVE-2026-33020"},{"id":"CVE-2026-41144"}],"_cs_exploited":false,"_cs_products":["ASA","Secure Firewall Threat Defense","IOS","IOS XE","IOS XR"],"_cs_severities":["critical"],"_cs_tags":["cisco","vulnerability","rce","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eA cluster of vulnerabilities affects Cisco ASA (Adaptive Security Appliance), Cisco Secure Firewall Threat Defense, Cisco IOS, Cisco IOS XE, and Cisco IOS XR. A remote attacker, either authenticated or anonymous, can exploit these vulnerabilities to bypass authentication mechanisms and execute arbitrary code with administrator privileges. The broad scope of affected products, ranging from security appliances to core networking infrastructure, makes this a critical issue for organizations relying on Cisco technology. Successful exploitation could lead to widespread network compromise and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Cisco device (ASA, Firewall Threat Defense, IOS, IOS XE, or IOS XR).\u003c/li\u003e\n\u003cli\u003eAttacker exploits a vulnerability allowing authentication bypass.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication bypass, the attacker gains unauthorized access to the device.\u003c/li\u003e\n\u003cli\u003eAttacker leverages another vulnerability on the compromised system to inject and execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe code executes with administrator privileges, granting the attacker full control over the device.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised device as a pivot point to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eAttacker compromises additional systems and exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to complete compromise of affected Cisco devices, allowing attackers to gain full administrative control. This can result in significant data breaches, service disruptions, and the potential for lateral movement within the network to compromise other critical systems. The broad range of affected Cisco products means a wide array of organizations are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules to your SIEM and tune for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsult Cisco\u0026rsquo;s security advisories for specific vulnerability details and apply the appropriate patches or mitigations as soon as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T05:43:56Z","date_published":"2026-04-24T05:43:56Z","id":"/briefs/2024-07-cisco-multiple-vulns/","summary":"Multiple vulnerabilities in Cisco ASA, Secure Firewall Threat Defense, IOS, IOS XE, and IOS XR allow a remote attacker to bypass authentication and execute arbitrary code with administrator privileges.","title":"Multiple Vulnerabilities in Cisco Products Allow for Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-07-cisco-multiple-vulns/"},{"_cs_actors":["UAT-4356"],"_cs_cves":[{"cvss":9.9,"id":"CVE-2025-20333"},{"cvss":6.5,"id":"CVE-2025-20362"}],"_cs_exploited":false,"_cs_products":["Firepower eXtensible Operating System (FXOS)","ASA","FTD"],"_cs_severities":["critical"],"_cs_tags":["uat-4356","firestarter","cisco","backdoor","network","espionage"],"_cs_type":"threat","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Talos reported that UAT-4356 continues to actively target Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). In early 2024, Cisco Talos attributed the ArcaneDoor campaign to UAT-4356, a state-sponsored actor focused on gaining access to network perimeter devices for espionage. The actor exploits n-day vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to vulnerable devices. Upon successful exploitation, UAT-4356 deploys a custom-built backdoor called \u0026ldquo;FIRESTARTER,\u0026rdquo; which shares technical capabilities with RayInitiator\u0026rsquo;s Stage 3 shellcode. FIRESTARTER enables remote access and the execution of arbitrary code within the LINA process, a core component of Cisco\u0026rsquo;s ASA and FTD appliances. This allows the attackers to maintain persistent access to compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUAT-4356 exploits CVE-2025-20333 and/or CVE-2025-20362 on Cisco Firepower devices running FXOS to gain initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the CSP_MOUNT_LIST to establish persistence for the FIRESTARTER backdoor.\u003c/li\u003e\n\u003cli\u003eThe FIRESTARTER backdoor is written to \u003ccode\u003e/opt/cisco/platform/logs/var/log/svc_samcore.log\u003c/code\u003e and the CSP_MOUNT_LIST is updated to copy itself to \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter a graceful reboot, FIRESTARTER is executed from \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER restores the original CSP_MOUNT_LIST from \u003ccode\u003e/tmp/CSP_MOUNTLIST.tmp\u003c/code\u003e and removes the temporary copy and the trojanized \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e file from disk.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER reads the LINA process’ memory, searching for specific byte sequences to verify memory layout.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER copies the next stage shellcode to the last 0x200 bytes of the \u0026ldquo;libstdc++.so\u0026rdquo; memory region.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites an internal data structure in the LINA process to replace a pointer to a legitimate WebVPN XML handler function with the address of the malicious shellcode. This allows execution of arbitrary shellcode received via WebVPN requests.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Cisco Firepower devices allow UAT-4356 to gain a foothold on network perimeters for espionage. Successful exploitation and deployment of the FIRESTARTER backdoor enable attackers to execute arbitrary shellcode, potentially leading to data exfiltration, further network compromise, or disruption of services. The number of victims is currently unknown, but this campaign targets network perimeter devices, which could impact organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the file integrity monitoring rule to detect the creation or modification of \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e and \u003ccode\u003e/opt/cisco/platform/logs/var/log/svc_samcore.log\u003c/code\u003e (see \u0026ldquo;File Creation in Suspicious Directory\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eApply software upgrade recommendations outlined in Cisco\u0026rsquo;s Security Advisory to mitigate CVE-2025-20333 and CVE-2025-20362.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for WebVPN requests containing unexpected XML payloads that might be used to trigger the FIRESTARTER backdoor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T15:11:53Z","date_published":"2026-04-23T15:11:53Z","id":"/briefs/2026-04-uat-4356-firestarter/","summary":"UAT-4356 is actively targeting Cisco Firepower devices running FXOS, exploiting CVE-2025-20333 and CVE-2025-20362 to deploy the FIRESTARTER backdoor which allows remote access and control by injecting malicious shellcode into the LINA process.","title":"UAT-4356 FIRESTARTER Backdoor Targeting Cisco Firepower Devices","url":"https://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/"}],"language":"en","title":"CraftedSignal Threat Feed — ASA","version":"https://jsonfeed.org/version/1.1"}