09.29.25

Customer Advisory: Cisco ASA Vulnerabilities Under Active Exploitation

By Adversary Tactics and Intelligence Team

Estimated Reading Time: 8 minutes

Cisco ASA – CVE-2025-20333 – CVE-2025-20362 –  UAT4356 – Storm-1849 – ArcaneDoor – RayInitiator – LINE VIPER – VPN Web Server – Remote Code Execution – Unauthorized Access Vulnerability – Espionage

The Bottom Line

Advanced threat actor ArcaneDoor, also known as UAT4356 or Storm-1849, actively exploits two Cisco zero-day vulnerabilities in an ongoing espionage campaign targeting critical perimeter network devices. The exploited flaws, CVE-2025-20333 (CVSS 9.9, Remote Code Execution) and CVE-2025-20362 (CVSS 6.5, Unauthorized Access), affect Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) VPN web servers. Attackers chain these vulnerabilities together to achieve unauthenticated remote code execution, bypassing security checks and gaining complete control over vulnerable ASA platforms. This successful exploitation of highly trusted perimeter security appliances presents an immediate, unacceptable risk to network integrity and corporate data.

Following successful network perimeter compromise, the ArcaneDoor actor implants sophisticated, multi-stage malware. The persistence mechanism relies on RayInitiator, a GRUB bootkit flashed directly to the device’s ROM Monitor (ROMMON). This deep persistence ensures the malware survives device reboots and software upgrades. The compromise specifically targets Cisco ASA 5500-X Series platforms, older models lacking critical hardware defenses such as Secure Boot and Trust Anchor technologies, making them susceptible to these low-level modifications. This capability demonstrates significant actor sophistication and dedicated expertise regarding Cisco ASA platform internals.

The resulting malware, LINE VIPER, provides the actor modular capability for post-compromise espionage activities. Its capabilities include harvesting user command line interface (CLI) commands, bypassing Authentication, Authorization, and Accounting (AAA) checks for actor-controlled devices, and conducting hidden packet captures on sensitive protocols like RADIUS and LDAP. The actor employs extensive anti-forensic techniques, including deliberately disabling logging, suppressing specific syslog messages, intercepting CLI commands, and intentionally crashing devices to hinder forensic analysis and investigation efforts. This activity grants the attacker root privileges on network entry and exit points, enabling potential widespread credential access and unauthorized data exfiltration, fundamentally compromising the security trust boundary.

Organizational strategy must prioritize urgent remediation. Cisco strongly recommends immediate upgrading to fixed software releases for a long-term resolution. Given the severe risk, the US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive ED 25-03, mandating federal agencies identify all vulnerable devices, conduct forensic analysis, and disconnect end-of-support (EoS) devices immediately. Security posture requires migrating end-of-life technology promptly to modern versions supporting Secure Boot and Trust Anchors to address inherent risks and strengthen resilience. If compromise is suspected or confirmed on any affected Cisco firewall device, treat all configuration elements of the device as fully untrusted.

The Rundown

The adversary is actively exploiting two Cisco zero-day vulnerabilities affecting the VPN web server functionality in Cisco ASA Software and FTD Software. The ArcaneDoor campaign leverages two zero-day vulnerabilities affecting the VPN web server within Cisco ASA Software and FTD Software. CVE-2025-20333, rated Critical with a CVSS score of 9.9, is a Remote Code Execution (RCE) vulnerability. This flaw results from improper validation of user-supplied input in HTTP(S) requests. An authenticated, remote attacker possessing valid VPN credentials could execute arbitrary code as root on the device. CVE-2025-20362, rated Medium with a CVSS score of 6.5, is an Unauthorized Access vulnerability. This weakness also stems from improper input validation, allowing an unauthenticated, remote attacker to access restricted URL endpoints. The attacker chains both exploited flaws together to achieve unauthenticated device takeover.

  • CVE-2025-20333: Cisco ASA and FTD Software VPN Web Server Remote Code Execution.
    • Technical Nature: This vulnerability, holding a Critical CVSS score of 9.9, results from improper validation of user-supplied input in HTTP(S) requests.
    • Exploitation Requirement: An attacker must possess valid VPN user credentials to execute arbitrary code as root on the affected device. Successful exploitation allows execution of arbitrary code as root, leading to complete device compromise.
  • CVE-2025-20362: Cisco ASA and FTD Software VPN Web Server Unauthorized Access
    • Technical Nature: Rated Medium with a CVSS score of 6.5, this flaw stems from improper validation of user-supplied input in HTTP(S) requests.
    • Exploitation Requirement: An unauthenticated, remote attacker can exploit this weakness by sending crafted HTTP requests, gaining access to restricted URL endpoints.

If you have questions or feedback about this intelligence, you can submit them here.

Analysis

ArcaneDoor, tracked as UAT4356 or Storm-1849, is an advanced threat actor focused on espionage, deliberately targeting perimeter network devices as initial intrusion points. Successful exploitation of this vulnerability chain grants the actor RCE and allows manipulation of the device’s read-only memory (ROM) to establish deep persistence. This campaign compromises specific Cisco ASA 5500-X Series models. These targeted platforms are older versions lacking hardware support for Secure Boot and Trust Anchor technologies, making them vulnerable to persistent firmware modification. The attacker installs RayInitiator, a sophisticated, persistent, multi-stage GRUB bootkit, flashed directly to the ROMMON. RayInitiator survives reboots and software upgrades, a technique requiring dedicated expertise in ASA platform internals and demonstrating high actor sophistication.

RayInitiator’s core mission is bootstrapping the second-stage user-mode malware, LINE VIPER, into memory, often disguised within WebVPN client authentication requests. LINE VIPER is a modular shellcode loader deploying payloads enabling extensive post-compromise espionage. The actor leverages advanced defense evasion techniques: selectively suppressing specific syslog messages to hide malicious behavior, intercepting CLI commands, and intentionally crashing devices to hinder forensic diagnosis. This level of root compromise on a security boundary means the attacker controls the ingress and egress of the corporate network.

The functional payloads within LINE VIPER pose unacceptable business risk due to their focus on critical information theft and persistence expansion. Specific capabilities include performing hidden packet captures on sensitive authentication protocols like RADIUS, LDAP, and TACACS, information valuable for lateral movement and credential harvesting. LINE VIPER also bypasses VPN AAA checks for devices controlled by the actor, effectively granting hidden, unauthorized network access. To protect command-and-control (C2) traffic, the malware uses secure cryptography, exchanging symmetric AES keys using per-victim RSA public keys. LINE VIPER receives tasking over HTTPS WebVPN sessions or via ICMP, sending responses via raw TCP, thus maintaining covert communication channels capable of exfiltrating harvested user CLI commands and network data.

Actions & Recommendations

Organizations must take immediate, decisive action to prevent and protect against exploitation of these critical Cisco ASA and FTD vulnerabilities by the ArcaneDoor threat actor. This requires prioritizing remediation, managing end-of-life (EoL) infrastructure, and preparing robust incident response procedures.

Deepwatch experts continuously monitor for threats to our customers and their environments. Based on our intelligence analysis of the source material, the Adversary Tactics and Intelligence team may develop and update detection signatures and add malicious observables to our indicator feeds. We recommend the following actions to enhance cyber resilience:

  • Apply Fixed Software Releases. Upgrade affected Cisco Secure Firewall ASA Software and FTD Software to fixed releases. Utilize the Cisco Software Checker tool to determine system exposure and identify the correct fixed software.
  • Implement Temporary Mitigation. If immediate patching proves impossible, disable all SSL/TLS-based VPN web services. This includes disabling all SSL VPN services as well as IKEv2 client services utilized for client endpoint software and profile updates.
  • Secure Credentials Post-Patching. Rotate all passwords, certificates, and keys following the successful application of fixed updates.
  • Accelerate Migration. Promptly migrate systems and devices utilizing EoL technology to modern, supported versions. This action strengthens resilience and addresses inherent platform vulnerabilities.
  • Decommission Unsupported Devices. Immediately identify and permanently disconnect all end-of-support Cisco ASA hardware models.
  • Perform Forensic Analysis. Collect forensic artifacts and assess compromise using vendor guidance and CISA-provided procedures and tools.
  • Configure Threat Detection. Review the Cisco Secure Firewall ASA Firewall CLI Configuration Guide after installing a fixed release. This step provides guidance on enabling protections against remote access VPN login authentication attacks, client initiation attacks, and invalid VPN service connection attempts.
  • Execute Core Dumps and Hunt Instructions. Follow CISA’s step-by-step Core Dump and Hunt Instructions. If the analysis detects compromise, immediately disconnect the device from the network (do not power it off) and report the incident.
  • Investigate Anti-Forensic Indicators. If a device immediately reboots following a core dump attempt prior to patching, this indicates potential malware deployment (LINE VIPER). If a core dump is successful, investigate for evidence of the RayInitiator bootkit, specifically looking for modifications to the WebVPN XML element handler table.

While dedicated use cases for these specific vulnerabilities are still being assessed as more technical details emerge, the Deepwatch MDR platform already provides layered coverage designed to identify similar exploitation of firewall devices at multiple stages of an attack, alerting on activity such as anomalous logons, lateral movement, and internal discovery.

  • Anomalous Authentication and Access. Deepwatch monitors for and alerts on a wide range of suspicious authentication events and high risk patterns.
  • Exploitation and Intrusion Attempts. Our analytics can detect behavior which is indicative of an attacker attempting to exploit vulnerabilities on network devices. This includes identifying potential adversarial attempts against firewalls and other perimeter devices.
  • Post-Compromise Activity. In the event an attacker successfully compromises a device, our detections are designed to identify subsequent malicious behavior and post-exploitation techniques.

Deepwatch detections provide visibility into common post-exploitation techniques helping to quickly identify and address a threat actor within the environment. More information on Deepwatch’s detections and technical artifacts for this threat can be found on our Customer Security Portal.

Source Material: CISA NCSC Cisco NCSC Malware Report 

Share

LinkedIn Twitter YouTube