top of page

Actively Exploited Cisco ASA / FTD Zero-Days (ArcaneDoor Campaign)

September 30th, 2025

Critical

Our Cyber Threat Intelligence Unit has identified an active campaign targeting Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) platforms. Cisco attributes this activity to the ArcaneDoor actor, which has been previously linked to state-sponsored espionage operations targeting perimeter devices. Two vulnerabilities, CVE-2025-20333 and CVE-2025-20362, have been exploited in the wild, allowing attackers to achieve remote code execution or unauthorized access to internet-facing VPN/web services. Exploitation has led to the deployment of RayInitiator (a persistent GRUB bootkit) and LINE VIPER (a user-mode loader), giving adversaries stealthy, durable footholds and control over compromised appliances. In response, CISA issued Emergency Directive 25-03, requiring rapid detection and remediation across federal agencies. Cisco also disclosed CVE-2025-20363, a critical web services RCE affecting ASA/FTD and some IOS family platforms. Although CVE-2025-20363 has not been actively exploited, it shows the expanded perimeter-device attack surface in modern infrastructure. 

Technical Details

  • Attack Type: Remote Code Execution. Implantation of persistent firmware/loader malware.

  • Severity: Critical.

  • Vulnerabilities & Exploitation:

    • CVE-2025-20333: VPN web server RCE. Requires authenticated access (valid VPN credentials). CVSS: 9.9 (Critical).

    • CVE-2025-20362: Missing authorization to restricted VPN endpoints (i.e., unauthorized access). An unauthenticated attacker can reach otherwise protected URLs. CVSS: 6.5 (Medium).

    • CVE-2025-20363: Web services RCE. On ASA/FTD, unauthenticated access is permitted; on IOS/IOS XE/IOS XR, low-privilege authentication is required. CVSS: 9.0 (Critical).

Cisco confirms that CVE-2025-20333 and CVE-2025-20362 are actively exploited in the wild. CVE-2025-20363 is published but has not yet been observed to be exploited. Attackers may or may not chain 20362 + 20333 in actual exploitation; however, some guidance suggests that 20362 can act as an entry point to reach 20333 in certain flow logic.

  • Malware & Persisting Mechanisms:

    • RayInitiator: A GRUB bootkit implanted in ROMMON/bootloader on vulnerable ASA 5500-X devices (those without Secure Boot / Trust Anchor).

    • It survives reboots and firmware upgrades.

  • LINE VIPER: A user-mode shellcode loader loaded into memory by RayInitiator.

    • It listens for commands over WebVPN client-authenticated sessions (HTTPS) or via ICMP (with responses over raw TCP).

    • Capabilities include: suppressing syslog messages, intercepting or hiding CLI commands, executing arbitrary commands, bypassing AAA, performing packet captures, and hitting device configuration functions.

Attackers reportedly modified ROMMON / boot sequence logic on ASA 5500-X devices to enable persistence through reboots/firmware changes. In several cases, adversaries disabled or tampered with logging, intercepted CLI calls, or intentionally crashed devices to frustrate forensic analysis.

  • Components Affected: Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) web/VPN services (and in some cases Cisco IOS variants for related web services).

Image by ThisisEngineering

Impact

  • Complete compromise of Edge Firewalls: Remote code execution or access without valid credentials.

  • Stealthy Persistence: Implants survive reboots/firmware upgrades and disable logging/telemetry.

  • Network Exposure: Attackers gain privileged access to internal traffic flows for reconnaissance, lateral movement, and exfiltration.

  • Operational Disruption: VPN/remote access downtime, exposure of sensitive traffic, regulatory and reputational fallout.

Detection Method

  • Inventory & exposure check: Identify internet-facing ASA/FTD/IOS devices and verify against Cisco’s vulnerable builds.

  • Log anomalies: Monitor for suspicious VPN/web service requests, unusual URL sequences, or log suppression (sudden gaps, dropped syslog).

  • C2 behaviors: Detect outbound ICMP beacons, raw TCP traffic, or anomalous WebVPN sessions persisting beyond standard patterns.

  • Malware indicators: Hunt for unauthorized boot modules, modified GRUB sequences, or memory-resident loader activity consistent with RayInitiator/LINE VIPER.

  • Threat hunting queries: Leverage Unit 42/Tenable/Cisco hunting content (e.g., Cortex XDR/XSIAM queries to surface log-level suppression).

Indicators of Compromise

There are No Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

  • Immediate patching: Apply Cisco’s released fixes for ASA/FTD/IOS platforms.

  • Temporary mitigations (if patching is delayed): Restrict external access to VPN/web endpoints via ACLs or geo-blocking; consider disabling exposed services with awareness of operational impact.

  • Compromise assessment: Isolate and image suspected devices; engage Cisco TAC, national CERT, or trusted IR partners; follow forensic guidance from NCSC and Cisco.

  • Credential rotation: Reset administrative, VPN, and remote-access credentials after remediation.

  • Logging resilience: Forward syslogs to external collectors; alert on logging/config changes and monitor for unexplained gaps.

  • Platform lifecycle: Replace EoL ASA 5500-X hardware lacking Secure Boot, as these are persistently vulnerable to RayInitiator bootkits.

Conclusion

The exploitation of CVE-2025-20333 and CVE-2025-20362 demonstrates increased targeting of perimeter firewalls as potential entry points for espionage. The ArcaneDoor campaign shows how adversaries use stealthy, persistent implants (RayInitiator and LINE VIPER) to maintain long-term access. We urge organizations to prioritize patching, enforce mitigations when immediate updates are not possible, and actively hunt for indicators of exploitation, especially logging suppression and unusual WebVPN/ICMP activity.

bottom of page