Cisco Firepower Zero-Days Exploited by State Hackers: UAT-4356 Strikes

Published 2026-04-25 · Category: cybersecurity

State-backed group UAT-4356 chains n-day vulnerabilities in Cisco Firepower devices to deploy custom backdoors. Learn how to defend against these attacks.

Reading on the syndication mirror. Read the live version on WormGPT V4 →

Want the real thing? uncensored AI chat — the original worm gpt download free, no filters, no logs, instant access. Pair it with the WormGPT API to ship payloads, exploits and research at machine speed.

Key Takeaways

• **State-sponsored group UAT-4356** is actively exploiting two n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) in Cisco Firepower devices.
• The attackers chain these flaws to deploy a **highly customized backdoor** that evades traditional detection.
• This campaign follows UAT-4356’s previous **ArcaneDoor operation**, signaling a persistent threat to network security appliances.
• Organizations using Cisco Firepower must **patch immediately** and implement advanced threat monitoring to counter **neural network attacks** and **autonomous agents** used by adversaries.

Introduction: The New Frontier of Network Attacks

On April 25, 2026, Cisco Talos revealed that threat group UAT-4356—linked to state-sponsored espionage—is exploiting two n-day vulnerabilities in Cisco Firepower devices. These flaws, tracked as CVE-2025-20333 and CVE-2025-20362, target the Firepower Extensible Operating System (FXOS). By chaining these vulnerabilities, attackers gain unauthorized access, deploy custom backdoors, and maintain persistence within enterprise networks. This campaign marks a significant escalation in cybersecurity automation used by adversaries, leveraging llm jailbreak techniques to enhance their attack chains.

Understanding the Vulnerabilities: CVE-2025-20333 and CVE-2025-20362

CVE-2025-20333: Authentication Bypass in FXOS CLI

This flaw allows an unauthenticated attacker to bypass authentication mechanisms in the FXOS command-line interface. By sending specially crafted requests, the attacker can execute arbitrary commands with elevated privileges. This is particularly dangerous because it does not require valid credentials, making it an ideal entry point for initial compromise.

CVE-2025-20362: Remote Code Execution via Malicious Packet

The second vulnerability enables remote code execution when the Firepower device processes a malicious network packet. This can be triggered without user interaction, allowing attackers to inject and execute payloads directly on the appliance. When chained with CVE-2025-20333, the attacker gains full control over the device.

Why N-Day Vulnerabilities Matter

Unlike zero-days, n-day vulnerabilities are known but often unpatched due to slow deployment cycles. UAT-4356 exploits this gap, targeting organizations that delay updates. This approach is increasingly common in neural network attacks, where AI models predict patch timelines to optimize exploit windows.

The UAT-4356 Group: From ArcaneDoor to Firepower

UAT-4356 first gained notoriety for the ArcaneDoor campaign, which targeted network edge devices globally. In that operation, they used custom malware to exfiltrate sensitive data from government and telecom networks. Now, they have shifted focus to Cisco Firepower, likely due to its widespread use in critical infrastructure.

Tactics, Techniques, and Procedures (TTPs)

• **Initial Access**: Exploit CVE-2025-20333 to bypass authentication.
• **Privilege Escalation**: Chain with CVE-2025-20362 for code execution.
• **Persistence**: Deploy a custom backdoor that mimics legitimate system processes.
• **Lateral Movement**: Use compromised devices to pivot to internal networks.
• **Data Exfiltration**: Encrypt and exfiltrate data via encrypted tunnels.

Role of Autonomous Agents

UAT-4356 employs autonomous agents to automate reconnaissance and payload delivery. These agents scan for vulnerable devices, execute exploits, and maintain communication with command-and-control servers. This reduces human intervention and speeds up attacks.

The Custom Backdoor: A New Threat

The backdoor deployed by UAT-4356 is highly sophisticated:

• **Stealth**: Uses rootkit-like techniques to hide from security tools.
• **Persistence**: Survives device reboots and firmware updates.
• **Communication**: Employs encrypted DNS tunneling to avoid detection.
• **Functionality**: Can execute arbitrary commands, exfiltrate data, and deploy additional malware.

This backdoor is part of a broader trend where attackers use llm jailbreak methods to generate polymorphic code that evades signature-based detection. Platforms like WormGPT and FraudGPT have been observed in similar contexts, though not directly linked to this campaign.

Implications for Network Security

Why Firepower Devices Are Targeted

Cisco Firepower devices serve as network security gateways, inspecting traffic for threats. Compromising them gives attackers visibility into all network traffic and the ability to disable security controls. This makes them a prime target for espionage groups.

The Rise of Cybersecurity Automation in Attacks

Adversaries are increasingly using cybersecurity automation to scale their operations. UAT-4356’s use of automated exploit chains is a clear example. Security teams must counter this with automated detection and response systems.

Defensive Strategies

Immediate Actions

1. Patch Vulnerabilities: Apply Cisco’s security updates for CVE-2025-20333 and CVE-2025-20362 immediately. 2. Monitor for Indicators: Look for unusual CLI activity or unexpected network connections. 3. Segment Networks: Isolate Firepower devices from critical systems. 4. Enable Logging: Ensure detailed logs are sent to a SIEM for analysis.

Long-Term Measures

• **Implement Zero Trust**: Assume devices are compromised and enforce strict access controls.
• **Use Behavioral Analytics**: Deploy tools that detect anomalous behavior, even from legitimate processes.
• **Adopt AI-Driven Security**: Leverage machine learning to identify **neural network attacks** and adaptive threats.

The Role of Threat Intelligence

Staying informed about groups like UAT-4356 is critical. Platforms like WormGPT provide insights into emerging threats, though they should be used responsibly for research. Understanding the TTPs of state-sponsored actors helps in proactive defense.

Conclusion: What This Means for Security Teams

The exploitation of Cisco Firepower devices by UAT-4356 underscores the evolving sophistication of state-sponsored threats. By chaining n-day vulnerabilities and deploying custom backdoors, these attackers demonstrate that no device is safe if patches are delayed. Security teams must prioritize:

• **Rapid patch management** for known vulnerabilities.
• **Advanced threat detection** that can identify stealthy backdoors.
• **Automated response** to counter **autonomous agents** used by adversaries.

The use of llm jailbreak techniques and platforms like FraudGPT in similar attacks highlights the need for continuous education and tooling. As cybersecurity automation becomes a double-edged sword, defenders must stay ahead by embracing AI-driven defenses and sharing threat intelligence. The era of passive network security is over—proactive, automated, and intelligent defense is the only way forward.

Want the real thing? WormGPT V4 — the original uncensored AI chat, no filters, no logs, instant access. Pair it with the deep web research AI to ship payloads, exploits and research at machine speed.