An ongoing campaign of cyber attacks orchestrated through vulnerabilities found in the Cisco Adaptive Security Appliance (ASA) family of unified threat management (UTM) kit has prompted warnings from both the British and American authorities for users to unplug and discard outdated, out-of-support equipment.
Cisco ASA is a multipurpose line of security appliances that, on introduction in the 2000s, succeeded various functions that Cisco previously offered in standalone form, including firewalls, intrusion prevention and virtual private networking. It remains well in use to this day, particularly among small to medium-sized enterprises (SMEs).
The alert stems from two distinct flaws in the technology – CVE-2025-20333, enabling remote code execution (RCE), and CVE-2025-20362, enabling elevation of privileges (EoP). A third arbitrary code execution vulnerability, CVE-2025-20363, has also been identified but is not in the scope of this specific alert.
Cisco said the issues impact Cisco ASA 5500-X Series models running Cisco ASA Software Release 9.12 or 9.14 with VPN web services enabled. The specific models involved are 5512-X, 5515-X, 5525-X, 5545-X, 5555-X and 5585-X, some of which reached end-of-life status in 2017. Two of them, 5512-X and 5515-X have been out of support since 2022.
The National Cyber Security Centre (NCSC) strongly recommended, where practicable, that ASA models falling out of support over the next 12 months should be replaced, noting the significant risks that obsolete, end-of-life hardware can pose.
“It is critical for organisations to take note of the recommended actions highlighted … particularly on detection and remediation,” said NCSC chief technology officer Ollie Whitehouse.
“We strongly encourage network defenders to follow vendor best practices and engage with the NCSC’s malware analysis report to assist with their investigations.
“End-of-life technology presents a significant risk for organisations. Systems and devices should be promptly migrated to modern versions to address vulnerabilities and strengthen resilience,” he said.
In an emergency directive issued prior to the weekend of 27-28 September, the US Cybersecurity and Infrastructure Security Agency (CISA) directed all users within the American government to account for and update Cisco ASA devices, and Cisco Firepower devices, which are also affected.
CISA supported the NCSC’s warning, saying that if ASA hardware models with an end-of-support date falling on or before Tuesday 30 September 2025 are found, these should be permanently disconnected immediately.
“These legacy platforms [and/or] releases cannot meet current vendor support and update requirements,” said CISA.
What’s the problem?
According to Cisco, the latest vulnerabilities are being exploited by the threat actor behind the ArcaneDoor campaign, which first came to light in April 2024 and is thought to have been the work of a nation state-backed threat actor.
This activity is thought to date back a few months prior to that, with Cisco’s Talos threat intel unit having identified attacker-controlled infrastructure active in November 2023, and possible test and development activity for previous exploits in July of that year.
Cisco said it had been working with multiple affected customers, including government agencies, on investigating the latest series of attacks for some time. It described the attacks as complex and sophisticated, requiring an extensive response, and added that the threat actor was still actively scanning for targets of interest.
The campaign has been linked to two different malwares, named Line Dancer and Line Runner, which were the subject of alerts in 2024.
Line Dancer, a shellcode loader, and Line Runner, a Lua webshell, work in tandem to enable the threat actors to achieve their objectives on ASA devices.
