Hackers Exploit Cisco Firepower N-Day Vulnerabilities for Unauthorized Access

What happened

In April 2026, cybersecurity researchers confirmed that a state-sponsored threat actor, known as UAT-4356, has been actively exploiting two n-day vulnerabilities in Cisco Firepower devices. These vulnerabilities, identified as CVE-2025-20333 and CVE-2025-20362m, affect Cisco’s Firepower eXtensible Operating System (FXOS). The attackers leveraged these flaws to gain unauthorized access and implant a sophisticated custom backdoor, enabling persistent control over compromised devices.

Unlike zero-day exploits, these vulnerabilities were previously patched by Cisco. However, the threat actor capitalized on unpatched or improperly mitigated systems, highlighting a critical gap in enterprise security practices. The exploitation campaign has been linked to targeted intrusions against government and critical infrastructure sectors globally.

Confirmed facts

• Vulnerabilities exploited: CVE-2025-20333 and CVE-2025-20362m, both affecting Cisco Firepower FXOS.
• Threat actor: UAT-4356, a state-sponsored group with advanced capabilities.
• Attack vector: Exploitation of n-day vulnerabilities, no zero-day exploits involved.
• Payload: Deployment of a custom backdoor granting persistent unauthorized access.
• Affected systems: Cisco Firepower devices running vulnerable versions of FXOS.
• Patch status: Cisco released patches months prior, but many organizations remain unpatched.
• Impact: Unauthorized access, potential data exfiltration, network compromise.

Who is affected

Organizations using Cisco Firepower devices, particularly those running unpatched versions of FXOS, are at high risk. This includes:

• Government agencies
• Critical infrastructure providers (energy, utilities, transportation)
• Large enterprises relying on Cisco Firepower for network security
• Managed Security Service Providers (MSSPs) deploying Cisco Firepower

Due to the nature of Firepower devices as network security appliances, a compromise can lead to widespread network infiltration, data breaches, and disruption of security monitoring.

What to do now

1. Immediate patching: Verify your Cisco Firepower devices’ FXOS version and apply the latest patches addressing CVE-2025-20333 and CVE-2025-20362m.
2. Incident response: Conduct thorough network and device forensics to detect any signs of compromise or backdoor implantation.
3. Access review: Audit user accounts and credentials on Firepower devices for unauthorized changes.
4. Network segmentation: Isolate affected devices to prevent lateral movement.
5. Update detection rules: Deploy IDS/IPS signatures and endpoint detection rules tailored to these exploits and backdoor behaviors.
6. Vendor advisories: Monitor Cisco’s security advisories for additional mitigation guidance.

How to secure yourself

• Regular patch management: Establish strict policies ensuring timely application of security patches for all network devices.
• Multi-factor authentication (MFA): Enforce MFA on all administrative access to network appliances.
• Network monitoring: Implement continuous monitoring for anomalous traffic patterns indicative of backdoor activity.
• Least privilege: Limit administrative privileges on Firepower devices to essential personnel only.
• Incident drills: Regularly test incident response plans to quickly identify and remediate compromises.
• Backup configurations: Maintain secure backups of device configurations to enable rapid restoration.

2026 update

Since the initial disclosure and exploitation reports in early 2026, Cisco and cybersecurity communities have intensified efforts to combat UAT-4356’s campaign. By mid-2026:

• Cisco released enhanced detection tools integrated into Firepower Management Center (FMC).
• Several MSSPs reported successful disruption of ongoing attacks by applying updated signatures.
• New threat intelligence sharing platforms have emerged, focusing on state-sponsored exploitation of network devices.
• Despite these advances, unpatched systems continue to be targeted, emphasizing persistent risk.

Organizations are urged to maintain vigilance and prioritize remediation to avoid becoming victims of this evolving threat.

FAQ

What are CVE-2025-20333 and CVE-2025-20362m?

They are security vulnerabilities in Cisco Firepower FXOS that allow attackers to gain unauthorized access and execute arbitrary code.

How do I know if my Cisco Firepower device is vulnerable?

Check the FXOS version against Cisco’s published patch advisories. Devices running versions prior to the latest patched release are vulnerable.

Can these vulnerabilities be exploited remotely?

Yes, the vulnerabilities can be exploited remotely, making exposed devices on public or poorly segmented networks especially at risk.

What is a custom backdoor?

A custom backdoor is malicious software installed by attackers to maintain persistent, covert access to a compromised system.

Has Cisco provided patches for these vulnerabilities?

Yes, Cisco released patches months before the exploitation was observed in the wild.

What industries are most targeted?

Government, critical infrastructure, and large enterprises using Cisco Firepower devices are primary targets.

How can I detect if my device has been compromised?

Look for unusual network traffic, unauthorized configuration changes, and alerts from updated IDS/IPS signatures.

Is this attack related to zero-day vulnerabilities?

No, it exploits known n-day vulnerabilities that were patched but not universally applied.

What should I do if I find signs of compromise?

Isolate the device, conduct a forensic investigation, apply patches, change credentials, and notify relevant authorities.

Why this matters

Cisco Firepower devices are cornerstone components in many organizations’ network defense architectures. Exploiting known vulnerabilities to install backdoors undermines the integrity of these defenses, potentially allowing attackers to bypass security controls and access sensitive data or disrupt operations. The fact that these are n-day exploits—vulnerabilities with available patches—highlights the ongoing challenge of timely patch management in cybersecurity. Failure to address these flaws can lead to severe consequences including data breaches, espionage, and operational downtime.

Sources and corroboration

This article synthesizes information from multiple corroborating sources, including detailed reports from GBHackers Security and Cisco’s official security advisories. The active exploitation by UAT-4356 has been confirmed by independent cybersecurity researchers monitoring network traffic and attack patterns targeting Cisco Firepower devices.

• [GBHackers Security: Hackers Exploit Cisco Firepower N-Day Flaws](https://gbhackers.com/hackers-exploit-cisco-firepower-n-day-flaws/)
• Cisco Security Advisories (2026)

By integrating these insights, this report provides a comprehensive and actionable overview of the ongoing threat landscape concerning Cisco Firepower n-day vulnerabilities.