A widespread campaign aimed at breaching organizations via zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) has been revealed by the US, UK, Canadian and Australian cybersecurity agencies.
The suspected state-sponsored threat actor behind it is believed to be the one that perpetrated the ArcaneDoor attack campaign in 2023 and 2024, when they used custom malware to disable logging and preventing the creation of a crash dump (“Line Dancer”) and to install a backdoor that will persist despite reboots and upgrades (“Line Runner”).
The exploited vulnerabilities
Cisco has published three security advisories on Thursday, detailing three vulnerabilities, two of which have been exploited by the threat actor:
- CVE-2025-20362 affects the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, and allows unauthenticated, remote attackers to access restricted URL endpoints without authentication
- CVE-2025-20333 likewise affects the VPN web server of the same software, and allows authenticated, remote attackers to execute arbitrary code on an affected device
“The evidence collected strongly indicates that CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign,” Cisco noted.
Their exploitability is dependent on certain features being enabled or the presence of specific configurations.
A third remote code execution vulnerability – CVE-2025-20363 – affects the aforementioned software but also the IOS, IOS XE, and IOS XR Software running on various legacy and modern enterprise netwrking devices and high-end carrier-grade routers.
While this flaw has been discovered during the investigation into the attacks, there is no indication that it has been exploited.
More specifics about the attacks
“In May 2025, Cisco was engaged by multiple government agencies that provide incident response services to government organizations to support the investigation of attacks that were targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled to implant malware, execute commands, and potentially exfiltrate data from the compromised devices,” Cisco said.
The company’s investigators used instrumented images with enhanced detection capabilities, helped customers analyze packet captures from compromised environments, and analyzed firmware extracted from infected devices.
They discovered that, like in the Arcane Door attack campaign, the threat actor exploited multiple zero-day vulnerabilities and used advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis.
“During our forensic analysis of confirmed compromised devices, in some cases, Cisco has observed the threat actor modifying ROMMON to allow for persistence across reboots and software upgrades,” the company shared.
ROMMON is the low-level bootstrap program stored in ROM that runs before the ASA operating system.
These specific modifications have only been made on Cisco ASA 5500-X Series platforms that were released prior to the development of Secure Boot and Trust Anchor technologies: 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, and 5585-X.
More recent Cisco ASA 5500-X Series models, which support those technologies, have not been compromised via the zero-days and their ROMMON hasn’t been modified, Cisco noted. Also, there’s no evidence that any device running Cisco Secure Firewall Threat Defense (FTD) Software have been successfully compromised.
Steps to take
Cisco has recommended actions that organizations running vulnerable devices should take, and the US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive ordering US federal agencies to:
- Identify all instances of Cisco ASA and Cisco Firepower devices in operation
- Collect and transmit memory files to CISA for forensic analysis by 11:59 p.m. EST Sept. 26
- Apply the patches provided by Cisco and disconnect end-of-support devices
- Hunt for compromised accounts
Instructions on how to do it can be found here.
The UK National Cyber Security Centre has shared their analysis of the malware the attackers used:
- RayInitiator – a persistent multi-stage bootkit that survives reboots and firmware
upgrades, and - LINE VIPER – a user-mode shellcode loader with associated modules, capable of executing CLI commands, performing packet captures, bypassing AAA for actor devices, suppressing syslog messages, harvesting user CLI commands and forcing a delayed reboot
They’ve also provided scripts for detecting their presence.
“The RayInitiator and LINE VIPER malware represents a significant evolution on that used in the previous campaign, both in sophistication and its ability to evade detection,” the NCSC noted.
“Organisations are urged to follow Cisco’s recommended remediation advice, including applying security updates, and to report any evidence of compromise to the NCSC. As some Cisco ASA 5500-X series models will be out of support from September 2025 and August 2026, the NCSC strongly recommends, where practicable, such devices should be replaced or upgraded.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
