The U.K. National Cyber Security Centre (NCSC) has revealed that threat actors have exploited the recently disclosed security flaws impacting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER.
“The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in sophistication and its ability to evade detection,” the agency said.
Cisco on Thursday revealed that it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May 2025 that targeted Adaptive Security Appliance (ASA) 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.
An in-depth analysis of firmware extracted from the infected devices running Cisco Secure Firewall ASA Software with VPN web services enabled ultimately led to the discovery of a memory corruption bug in the product software, it added.
“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,” the company said.
The activity involves the exploitation of CVE-2025-20362 (CVSS score: 6.5) and CVE-2025-20333 (CVSS score: 9.9) to bypass authentication and execute malicious code on susceptible appliances. The campaign is assessed to be linked to a threat cluster dubbed ArcaneDoor, which was attributed to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849).
Additionally, in some cases, the threat actor is said to have modified ROMMON (short for Read-Only Memory Monitor) – which is responsible for managing the boot process and performing diagnostic tests in ASA devices – to facilitate persistence across reboots and software upgrades. That being said, these modifications have been detected only on Cisco ASA 5500-X Series platforms that lack Secure Boot and Trust Anchor technologies.
Cisco also said the campaign has successfully compromised ASA 5500-X Series models running Cisco ASA Software releases 9.12 or 9.14 with VPN web services enabled, and which do not support Secure Boot and Trust Anchor technologies. All the affected devices have reached end-of-support (EoS) or are about to reach EoS status by next week –
- 5512-X and 5515-X – Last Date of Support: August 31, 2022
- 5585-X – Last Date of Support: May 31, 2023
- 5525-X, 5545-X, and 5555-X – Last Date of Support: September 30, 2025
Furthermore, the company noted that it has addressed a third critical flaw (CVE-2025-20363, CVSS score: 8.5/9.0) in the web services of Adaptive Security Appliance (ASA) Software, Secure Firewall Threat Defense (FTD) Software, IOS Software, IOS XE Software, and IOS XR Software that could allow an remote attacker to execute arbitrary code on an affected device.
“An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both,” it said. “A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device.”
Unlike CVE-2025-20362 and CVE-2025-20333, there is no evidence that the vulnerability has been exploited in the wild in a malicious context. Cisco said the shortcoming was discovered by the Cisco Advanced Security Initiatives Group (ASIG) during the resolution of a Cisco TAC support case.
The Canadian Centre for Cyber Security has urged organizations in the country to take action as soon as possible to counter the threat by updating to a fixed version of Cisco ASA and FTD products.
The U.K. NCSC, in an advisory released September 25, revealed the attacks have leveraged a multi-stage bootkit called RayInitiator to deploy a user-mode shellcode loader known as LINE VIPER to the ASA appliance.
RayInitiator is a persistent GRand Unified Bootloader (GRUB) bootkit that’s flashed to victim devices, while capable of surviving reboots and firmware upgrades. It’s responsible for loading into memory LINE VIPER, which can run CLI commands, perform packet captures, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, harvest user CLI commands, and force a delayed reboot.
The bootkit accomplishes this by installing a handler within a legitimate ASA binary called “lina” to execute LINE VIPER. Lina, short for Linux-based Integrated Network Architecture, is the operating system software that integrates core firewall functionalities of the ASA.
Described as “more comprehensive” than Line Dancer, LINE VIPER uses two methods for communication with the command-and-control (C2) server: WebVPN client authentication sessions over HTTPS, or via ICMP with responses over raw TCP. It’s also designed to make a number of modifications to “lina” to avoid leaving a forensic trail and prevent detection of modifications to CLI commands like copy and verify.
“The deployment of LINE VIPER via a persistent bootkit, combined with a greater emphasis on defence evasion techniques, demonstrates an increase in actor sophistication and improvement in operational security compared to the ArcaneDoor campaign publicly documented in 2024,” the NCSC said.
