A state-sponsored actor is exploiting patched Cisco Firepower vulnerabilities to deploy the FIRESTARTER backdoor malware.
The UK's National Cyber Security Centre (NCSC) has joined the US CISA in issuing the warning, and the actor is identified as UAT-4356.
New details confirm the backdoor was found on a specific federal agency's Cisco Firepower appliance and emphasize the persistence gap in perimeter device security.
The joint advisory adds that the UK NCSC is also involved and that the backdoor's update-resistant persistence mechanism represents an elevated capability, prompting a sector-wide alert.
Cisco Talos has identified the specific threat actor (UAT-4356) and the two patched vulnerabilities (CVE-2025-20333, CVE-2025-20362) being exploited, along with technical details of the FIRESTARTER malware's persistence and detection signatures.