https://feed.craftedsignal.io/products/asa/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 24 Apr 2026 05:43:56 +0000https://feed.craftedsignal.io/briefs/2024-07-cisco-multiple-vulns/Fri, 24 Apr 2026 05:43:56 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-07-cisco-multiple-vulns/Multiple vulnerabilities in Cisco ASA, Secure Firewall Threat Defense, IOS, IOS XE, and IOS XR allow a remote attacker to bypass authentication and execute arbitrary code with administrator privileges.A cluster of vulnerabilities affects Cisco ASA (Adaptive Security Appliance), Cisco Secure Firewall Threat Defense, Cisco IOS, Cisco IOS XE, and Cisco IOS XR. A remote attacker, either authenticated or anonymous, can exploit these vulnerabilities to bypass authentication mechanisms and execute arbitrary code with administrator privileges. The broad scope of affected products, ranging from security appliances to core networking infrastructure, makes this a critical issue for organizations relying on Cisco technology. Successful exploitation could lead to widespread network compromise and data breaches.

Attack Chain

1. Attacker identifies a vulnerable Cisco device (ASA, Firewall Threat Defense, IOS, IOS XE, or IOS XR).
2. Attacker exploits a vulnerability allowing authentication bypass.
3. Upon successful authentication bypass, the attacker gains unauthorized access to the device.
4. Attacker leverages another vulnerability on the compromised system to inject and execute arbitrary code.
5. The code executes with administrator privileges, granting the attacker full control over the device.
6. Attacker uses the compromised device as a pivot point to move laterally within the network.
7. Attacker compromises additional systems and exfiltrates sensitive data.

Impact

Successful exploitation of these vulnerabilities can lead to complete compromise of affected Cisco devices, allowing attackers to gain full administrative control. This can result in significant data breaches, service disruptions, and the potential for lateral movement within the network to compromise other critical systems. The broad range of affected Cisco products means a wide array of organizations are potentially at risk.

Recommendation

• Deploy the Sigma rules to your SIEM and tune for your environment to detect exploitation attempts.
• Consult Cisco’s security advisories for specific vulnerability details and apply the appropriate patches or mitigations as soon as they become available.

]]>criticaladvisoryciscovulnerabilityrceauthentication-bypasshttps://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/Thu, 23 Apr 2026 15:11:53 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/UAT-4356 is actively targeting Cisco Firepower devices running FXOS, exploiting CVE-2025-20333 and CVE-2025-20362 to deploy the FIRESTARTER backdoor which allows remote access and control by injecting malicious shellcode into the LINA process.Cisco Talos reported that UAT-4356 continues to actively target Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). In early 2024, Cisco Talos attributed the ArcaneDoor campaign to UAT-4356, a state-sponsored actor focused on gaining access to network perimeter devices for espionage. The actor exploits n-day vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to vulnerable devices. Upon successful exploitation, UAT-4356 deploys a custom-built backdoor called “FIRESTARTER,” which shares technical capabilities with RayInitiator’s Stage 3 shellcode. FIRESTARTER enables remote access and the execution of arbitrary code within the LINA process, a core component of Cisco’s ASA and FTD appliances. This allows the attackers to maintain persistent access to compromised systems.

Attack Chain

1. UAT-4356 exploits CVE-2025-20333 and/or CVE-2025-20362 on Cisco Firepower devices running FXOS to gain initial access.
2. The attacker manipulates the CSP_MOUNT_LIST to establish persistence for the FIRESTARTER backdoor.
3. The FIRESTARTER backdoor is written to /opt/cisco/platform/logs/var/log/svc_samcore.log and the CSP_MOUNT_LIST is updated to copy itself to /usr/bin/lina_cs.
4. After a graceful reboot, FIRESTARTER is executed from /usr/bin/lina_cs.
5. FIRESTARTER restores the original CSP_MOUNT_LIST from /tmp/CSP_MOUNTLIST.tmp and removes the temporary copy and the trojanized /usr/bin/lina_cs file from disk.
6. FIRESTARTER reads the LINA process’ memory, searching for specific byte sequences to verify memory layout.
7. FIRESTARTER copies the next stage shellcode to the last 0x200 bytes of the “libstdc++.so” memory region.
8. The attacker overwrites an internal data structure in the LINA process to replace a pointer to a legitimate WebVPN XML handler function with the address of the malicious shellcode. This allows execution of arbitrary shellcode received via WebVPN requests.

Impact

Compromised Cisco Firepower devices allow UAT-4356 to gain a foothold on network perimeters for espionage. Successful exploitation and deployment of the FIRESTARTER backdoor enable attackers to execute arbitrary shellcode, potentially leading to data exfiltration, further network compromise, or disruption of services. The number of victims is currently unknown, but this campaign targets network perimeter devices, which could impact organizations across various sectors.

Recommendation

• Deploy the file integrity monitoring rule to detect the creation or modification of /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log (see “File Creation in Suspicious Directory”).
• Apply software upgrade recommendations outlined in Cisco’s Security Advisory to mitigate CVE-2025-20333 and CVE-2025-20362.
• Monitor network traffic for WebVPN requests containing unexpected XML payloads that might be used to trigger the FIRESTARTER backdoor.

]]>criticalthreatuat-4356firestarterciscobackdoornetworkespionage