The **U.K. National Cyber Security Centre (NCSC)** disclosed that **state-sponsored threat actors (UAT4356/Storm-1849, linked to China)** exploited **zero-day vulnerabilities (CVE-2025-20362, CVE-2025-20333)** in **Cisco ASA 5500-X Series firewalls** to deploy **previously undocumented malware (RayInitiator, LINE VIPER)**. The attack targeted **multiple government agencies**, enabling **persistent access, command execution, data exfiltration, and forensic evasion** by modifying the **ROMMON bootloader** and disabling logging. The compromised devices—**end-of-support (EoS) models lacking Secure Boot**—were vulnerable to **full system takeover**, including **root-level arbitrary code execution**. The campaign demonstrated **advanced operational security**, with malware designed to **survive reboots, suppress syslogs, and bypass VPN authentication**. While no direct evidence confirmed **large-scale data breaches**, the **targeting of government infrastructure** and **use of nation-state tools** suggest **high strategic impact**, potentially threatening **national security, critical services, and diplomatic stability**. The attack’s **sophistication and persistence mechanisms** indicate a **long-term espionage or sabotage intent**, with risks extending beyond Cisco to **broader supply-chain and geopolitical consequences**.
Source: https://thehackernews.com/2025/09/cisco-asa-firewall-zero-day-exploits.html
TPRM report: https://www.rankiteo.com/company/cisco
"id": "cis5262052092625",
"linkid": "cisco",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'Public sector',
'location': ['United Kingdom',
'Canada (advisory issued)'],
'name': 'Multiple government agencies (unspecified)',
'type': 'Government'},
{'customers_affected': 'Users of Cisco ASA 5500-X '
'Series devices',
'industry': 'Networking/IT Security',
'location': 'Global',
'name': 'Cisco Systems',
'size': 'Large enterprise',
'type': 'Corporation'}],
'attack_vector': ['Exploitation of CVE-2025-20362 (CVSS 6.5)',
'Exploitation of CVE-2025-20333 (CVSS 9.9)',
'Multi-stage bootkit (RayInitiator)',
'User-mode shellcode loader (LINE VIPER)',
'ROMMON modification for persistence',
'WebVPN/HTTPS and ICMP/TCP C2 communication'],
'customer_advisories': ['Cisco PSIRT notifications',
'Public security bulletins'],
'data_breach': {'data_exfiltration': ['Likely (via LINE VIPER C2 channels)'],
'sensitivity_of_data': ['High (government agencies targeted)',
'Potential classified information'],
'type_of_data_compromised': ['VPN authentication data',
'CLI command history',
'Network packet captures',
'Potential government data']},
'date_detected': '2025-05',
'date_publicly_disclosed': '2025-09-25',
'description': 'The U.K. National Cyber Security Centre (NCSC) revealed that '
'threat actors (suspected China-linked hacking group '
'UAT4356/Storm-1849, aka ArcaneDoor) exploited zero-day '
'vulnerabilities in Cisco ASA 5500-X Series firewalls to '
'deploy previously undocumented malware families (RayInitiator '
'and LINE VIPER). The campaign targeted government agencies, '
'leveraging memory corruption bugs (CVE-2025-20362, '
'CVE-2025-20333) to bypass authentication, execute commands, '
'and exfiltrate data. The attackers used advanced evasion '
'techniques, including disabling logging, intercepting CLI '
'commands, and crashing devices to hinder analysis. '
'Persistence was achieved via ROMMON modifications on devices '
'lacking Secure Boot/Trust Anchor. A third critical flaw '
'(CVE-2025-20363) was patched but not exploited in the wild.',
'impact': {'brand_reputation_impact': ['Potential loss of trust in Cisco ASA '
'security products',
'Government agencies targeted'],
'data_compromised': ['Potential exfiltration from government '
'agencies',
'VPN credentials (via AAA bypass)',
'CLI commands (harvested)',
'Packet captures'],
'downtime': ['Intentional device crashes to evade analysis',
'Delayed reboots triggered by LINE VIPER'],
'identity_theft_risk': ['Potential risk if VPN credentials were '
'exfiltrated'],
'operational_impact': ['Compromised firewall integrity',
'Bypassed authentication (AAA)',
'Suppressed syslog messages',
'Modified CLI commands (e.g., copy, '
'verify)'],
'systems_affected': ['Cisco ASA 5500-X Series (5512-X, 5515-X, '
'5525-X, 5545-X, 5555-X, 5585-X)',
'Devices running Cisco ASA Software 9.12 or '
'9.14 with VPN web services enabled']},
'initial_access_broker': {'backdoors_established': ['RayInitiator (GRUB '
'bootkit)',
'LINE VIPER (shellcode '
'loader)',
'ROMMON modifications'],
'entry_point': ['CVE-2025-20362 and CVE-2025-20333 '
'in Cisco ASA VPN web services'],
'high_value_targets': ['Government agencies',
'VPN authentication systems',
'CLI command history']},
'investigation_status': 'Ongoing (as of 2025-09-25)',
'lessons_learned': ['End-of-support (EoS) devices pose significant risks even '
'if functional',
'Advanced threat actors leverage multi-stage malware '
'(bootkits + shellcode loaders) to evade detection',
'Persistence mechanisms (e.g., ROMMON modifications) can '
'survive reboots/upgrades on legacy hardware',
'VPN web services are a high-value target for APT groups',
'Secure Boot/Trust Anchor technologies are critical for '
'mitigating firmware-level attacks'],
'motivation': ['Espionage',
'Data exfiltration',
'Persistence in government networks'],
'post_incident_analysis': {'corrective_actions': ['Accelerated EoS timelines '
'for vulnerable devices',
'Enhanced firmware '
'integrity checks in ASA '
'software',
'Improved detection for '
'bootkit-level persistence',
'Collaboration with '
'NCSC/CCCS for threat '
'intelligence sharing'],
'root_causes': ['Exploitation of unpatched '
'zero-day vulnerabilities in '
'legacy devices',
'Lack of Secure Boot/Trust Anchor '
'on ASA 5500-X Series',
'Use of end-of-support hardware in '
'critical infrastructure',
'Insufficient logging/monitoring '
'for advanced evasion techniques']},
'recommendations': ['Immediately patch CVE-2025-20362, CVE-2025-20333, and '
'CVE-2025-20363',
'Replace end-of-support Cisco ASA 5500-X Series devices',
'Enable Secure Boot and Trust Anchor on supported devices',
'Disable VPN web services if not essential',
'Monitor for unusual CLI command activity or syslog '
'suppression',
'Deploy network segmentation to limit lateral movement',
'Conduct forensic analysis of ASA firmware for signs of '
'RayInitiator/LINE VIPER',
'Implement behavioral detection for ICMP/TCP and WebVPN '
'C2 traffic'],
'references': [{'date_accessed': '2025-09-25',
'source': 'U.K. National Cyber Security Centre (NCSC)'},
{'date_accessed': '2025-09',
'source': 'Cisco Security Advisory'},
{'date_accessed': '2025-09',
'source': 'Canadian Centre for Cyber Security Advisory'}],
'regulatory_compliance': {'regulatory_notifications': ['U.K. NCSC advisory '
'(2025-09-25)',
'Canadian Centre for '
'Cyber Security '
'advisory']},
'response': {'communication_strategy': ['Public advisories by NCSC '
'(2025-09-25)',
'Cisco security bulletins',
'Canadian Centre for Cyber Security '
'alerts'],
'containment_measures': ['Cisco patches for CVE-2025-20362, '
'CVE-2025-20333, CVE-2025-20363',
'Urgent advisories for updates',
'Disabling VPN web services on '
'vulnerable devices'],
'enhanced_monitoring': ['Recommended for ASA/FTD devices'],
'incident_response_plan_activated': True,
'remediation_measures': ['Firmware analysis to detect '
'RayInitiator/LINE VIPER',
'Replacement of end-of-support (EoS) '
'devices',
'Implementation of Secure Boot/Trust '
'Anchor on newer models'],
'third_party_assistance': ['U.K. National Cyber Security Centre '
'(NCSC)',
'Canadian Centre for Cyber Security']},
'stakeholder_advisories': ['Urgent patching recommended for all affected '
'organizations',
'Government agencies advised to audit ASA devices'],
'threat_actor': ['ArcaneDoor',
'UAT4356',
'Storm-1849',
'Suspected China-linked state-sponsored group'],
'title': 'Exploitation of Cisco Firewall Zero-Day Vulnerabilities by '
'ArcaneDoor (UAT4356/Storm-1849) to Deploy RayInitiator and LINE '
'VIPER Malware',
'type': ['Zero-day exploitation',
'Malware deployment (RayInitiator, LINE VIPER)',
'Advanced Persistent Threat (APT)',
'Supply chain risk (end-of-support devices)'],
'vulnerability_exploited': ['CVE-2025-20362 (Memory corruption in Cisco ASA '
'Software)',
'CVE-2025-20333 (Authentication bypass in Cisco '
'ASA Software)',
'Lack of Secure Boot/Trust Anchor in ASA 5500-X '
'Series',
'End-of-support (EoS) devices (ASA 5500-X '
'Series)']}