State-sponsored threat actor UAT-4356 (ArcaneDoor) has implanted a firmware-level backdoor called FIRESTARTER inside Cisco Firepower and Secure Firewall hardware by exploiting two critical FXOS vulnerabilities. The implant survives software patching and reboots; full device reimaging is the only validated eradication path. CISA updated Emergency Directive ED 25-03 on April 23, 2026, requiring reimaging across seven affected hardware series.