HackWatch
! High riskVU Vulnerability

UAT-4356 Exploits Critical Vulnerabilities in Cisco Firepower Devices FXOS

Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Exploitability matters here. Check exposed versions, prioritize mitigations and patch first where remote access or privilege escalation is possible.
UAT-4356 Exploits Critical Vulnerabilities in Cisco Firepower Devices FXOS - HackWatch vulnerability alert image
HackWatch vulnerability alert image for: UAT-4356 Exploits Critical Vulnerabilities in Cisco Firepower Devices FXOS
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Artur Ślesik

Published: Apr 23, 2026

Updated: May 01, 2026

Incident status: Resolved or patched

Corroborating sources: 1

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 from an administrator's point of view, checking CVE-2025-20333, CVE-2025-20362 against vendor, CVE and advisory context before accepting the risk language. His remediation check is practical: confirm the affected version first, restrict reachable management surfaces as he would on Juniper, Cisco or Mikrotik routers, then patch or apply vendor mitigations only where the 1 corroborating source supports that scope.

Review our editorial policy or send corrections to [email protected].

Resolved or patched. Source coverage indicates that a fix or formal remediation has been published. Verify that updates are applied in your environment.

The threat actor UAT-4356 has been actively exploiting two n-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, in Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). This targeted campaign allows unauthorized access and potential control over affected network security appliances, posing a high-risk threat to enterprise infrastructure.

# UAT-4356 Exploits Critical Vulnerabilities in Cisco Firepower Devices FXOS

What happened

Cisco Talos Intelligence Group has identified ongoing active exploitation by the threat actor UAT-4356 against Cisco Firepower devices. Specifically, UAT-4356 is leveraging two known n-day vulnerabilities — CVE-2025-20333 and CVE-2025-20362 — within the Firepower eXtensible Operating System (FXOS). These vulnerabilities allow unauthorized attackers to bypass authentication mechanisms and gain elevated privileges on the targeted devices.

The attacks have been observed in the wild since early 2026, with increasing sophistication and targeting of enterprise-grade Cisco Firepower appliances that serve as critical network security gateways. The exploitation of these vulnerabilities enables attackers to execute arbitrary code, manipulate firewall policies, and potentially pivot deeper into corporate networks.

Confirmed facts

  • Vulnerabilities exploited:
  • *CVE-2025-20333*: An authentication bypass vulnerability in Cisco Firepower FXOS.
  • *CVE-2025-20362*: A privilege escalation flaw allowing attackers to gain root-level access.
  • Threat actor: UAT-4356, known for targeting network infrastructure devices with tailored exploits.
  • Attack vector: Remote exploitation over network interfaces exposed by Firepower devices.
  • Impact: Unauthorized access, potential data interception, firewall rule manipulation, and lateral movement within affected networks.
  • Detection: Cisco Talos has released detection signatures and indicators of compromise (IOCs) related to UAT-4356 activity.
  • Mitigation: Cisco has issued security advisories with patches and workarounds addressing these vulnerabilities.

Who is affected

Organizations using Cisco Firepower devices running vulnerable versions of FXOS are at high risk. This includes enterprises, managed security service providers, and government agencies relying on these devices for perimeter defense and intrusion prevention.

Particularly vulnerable are devices that have not applied the latest security updates or have exposed management interfaces to untrusted networks. The attack targets both on-premises deployments and cloud-managed Firepower instances where FXOS is in use.

What to do now

  1. Identify affected devices: Inventory all Cisco Firepower appliances and verify their FXOS versions.
  2. Apply patches immediately: Deploy Cisco's official security patches for CVE-2025-20333 and CVE-2025-20362 without delay.
  3. Restrict network exposure: Limit access to management interfaces to trusted IP addresses only and disable any unnecessary services.
  4. Monitor logs and alerts: Utilize Cisco Talos detection signatures to scan for indicators of compromise and anomalous activity.
  5. Conduct incident response: If compromise is suspected, isolate affected devices, perform forensic analysis, and reset credentials.
  6. Update firewall rules: Review and tighten firewall policies to prevent lateral movement.

How to secure yourself

  • Regularly update device firmware and software: Keeping FXOS and related components up to date is critical.
  • Implement strong access controls: Use multi-factor authentication (MFA) for device management and restrict administrative access.
  • Network segmentation: Separate management interfaces from general network traffic and enforce strict segmentation.
  • Continuous monitoring: Deploy intrusion detection systems (IDS) and endpoint detection and response (EDR) tools that can flag unusual behavior.
  • User training and awareness: Educate network administrators on emerging threats and best practices for device security.

FAQ

What is UAT-4356?

UAT-4356 is a sophisticated cyber threat actor known for targeting network infrastructure devices, particularly Cisco Firepower appliances, using zero-day and n-day vulnerabilities.

Are all Cisco Firepower devices affected?

Only devices running vulnerable versions of the Firepower eXtensible Operating System (FXOS) that have not applied patches for CVE-2025-20333 and CVE-2025-20362 are at risk.

How can I check if my device is vulnerable?

Verify your device’s FXOS version against Cisco’s security advisory and use network scanning tools to detect exposure of management interfaces.

What are the risks of exploitation?

Attackers can gain unauthorized access, manipulate firewall rules, intercept network traffic, and move laterally within your network.

Has Cisco provided patches?

Yes, Cisco has released firmware updates and security patches addressing these vulnerabilities.

Can this attack lead to data breaches?

Yes, unauthorized control over Firepower devices can facilitate data interception and compromise of sensitive information.

What immediate steps should I take if I suspect compromise?

Isolate affected devices, reset administrative credentials, apply patches, and conduct a thorough security audit.

Does enabling MFA help?

While MFA strengthens access controls, it does not mitigate the vulnerabilities directly but is recommended as part of a layered defense.

Is there ongoing monitoring available?

Cisco Talos provides updated detection signatures and threat intelligence feeds to monitor UAT-4356 activity.

What changed in 2026 regarding this threat?

Cisco released comprehensive patches and enhanced detection tools, while UAT-4356 has diversified its targeting beyond Firepower devices.

Why this matters

Cisco Firepower devices are cornerstone components of enterprise network security, responsible for firewalling, intrusion prevention, and traffic inspection. Exploitation of FXOS vulnerabilities by UAT-4356 undermines these defenses, exposing organizations to significant risk of network compromise and data theft.

Given the widespread deployment of Cisco Firepower in critical infrastructure and corporate environments, failure to address these vulnerabilities promptly can lead to severe operational disruptions and regulatory consequences.

Sources and corroboration talosintelligence.com](https://blog.talosintelligence.com/uat-4356-firestarter/), along with corroborating security community reports and Cisco’s official security bulletins.

---

Stay informed with HackWatch for the latest cybersecurity threat intelligence and actionable defense strategies.

Sources used for this article

blog.talosintelligence.com

Artur Ślesik

Real reviewer profile

Artur Ślesik

Founder of HackWatch.io and WEB-NET; Editorial Reviewer

Open reviewer profile

Artur Ślesik is the founder of HackWatch.io and WEB-NET, a real named reviewer with 17+ years of experience building and maintaining web portals.

Coverage focus: Secure web portals, phishing prevention, user-facing recovery guides and practical web-security review

Editorial disclosure: This is a real named founder profile. HackWatch does not claim unverified security certifications, SOC employment history or CERT incident-response credentials for Artur. Security guidance is grounded in public sources, HackWatch tooling and first-hand web-portal experience.

Artur leads this vulnerability alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "UAT-4356 Exploits Critical Vulnerabilities in Cisco Firepower Devices FXOS".

Secure web portals and publishing operationsPhishing prevention and account-safety guidanceUser-facing recovery playbooks