“xml. if the request data received matches a specific pattern of custom - defined prefixing then the shellcode that immediately follows it is executed in memory. if the prefixing bytes are not found, then the data is treated as regular request data and passed to the original handl…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
94%
“uat - 4356 ' s targeting of cisco firepower devices cisco talos is aware of uat - 4356 ' s continued active targeting of cisco firepower devices ’ firepower extensible operating system ( fxos ). uat - 4356 exploited n - day vulnerabilities ( cve - 2025 - 20333 and cve - 2025 - 20…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
93%
“stage shellcode ( stage 2 ) to the last 0x200 bytes of the memory region. firestarter then overwrites an internal data structure in the lina process ’ memory to replace a pointer to a webvpn - specific, legitimate xml handler function with the address of the malicious stage 2 she…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1542.003Bootkit
67%
“is a malicious backdoor implanted by uat - 4356 that allows remote access and control to execute arbitrary code inside the lina process, a core component of cisco ’ s asa and ftd appliances running fxos. persistence uat - 4356 established persistence for firestarter on compromise…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
37%
“for more comprehensive detection guidance, please refer to cisco ’ s security advisory here. please also refer to cisa ’ s update to v1 : emergency directive ( ed ) 25 - 03 : identify and mitigate potential compromise of cisco devices and firestarter backdoor malware analysis rep…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices.