Active campaign targeting vulnerabilities in Cisco VPN devices

Attacker attributed to ArcaneDoor campaign (CC-4483) has exploited CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363 to install a sophisticated bootkit for persistent stealthy access to affected devices

Threat ID:: CC-4703
Threat Severity:: High
Published:: 26 September 2025 11:30 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Cisco Adaptive Security Appliance (ASA) Software

9.12
9.14
9.16 to 9.20
9.22 to 9.23

Cisco Adaptive Security Appliance and Firepower Threat Defence Software

7.0 to 7.4
7.6 to 7.7

Cisco IOS

Cisco IOS is vulnerable if the Remote Access SSL VPN feature is enabled.

Cisco IOS XE

Cisco IOS XE is vulnerable if the Remote Access SSL VPN feature is enabled.

Cisco IOS XR

Cisco IOS XR (32-bit) is vulnerable if running on Cisco ASR 9001 Routers and the HTTP server is enabled.

Threat details

Exploitation of vulnerabilities to deploy RayInitiator and LINE VIPER on ASA 5500-X Series appliances

Cisco, in collaboration with the National Cyber Security Centre (NCSC) and US Cybersecurity and Infrastructure Security Agency (CISA), has observed the state-sponsored attacker attributed to the ArcaneDoor campaign (see CC-4483) exploiting CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363 against end-of-life or upcoming end-of-life Cisco ASA devices, in particular the 5500-X Series appliances.

The attacker deployed the "RayInitiator" bootkit for persistent access via GRUB, which then loads "LINE VIPER". LINE VIPER contains functionality to execute arbitrary code, execute Cisco CLI commands, bypass VPN Authentication, Authorization and Accounting (AAA) for attacker devices, and exfiltrate data. Further details are available in NCSC's advisory and malware analysis.

SSL VPNs, firewalls, and other edge devices are internet-facing by design and are highly attractive targets to attackers, and there is an increasing number of edge device vulnerabilities disclosed each year that are rapidly exploited by attackers. The NHS England National CSOC assesses it is highly likely vulnerabilities discovered in SSLVPN and firewall appliances will continue to be exploited as zero-day vulnerabilities, or shortly after vendor disclosure.

Organisations are strongly encouraged to follow NCSC's vulnerability management guidance, including implementing a "patch by default" policy and patching edge devices as soon as possible if a critical vulnerability is identified.

Introduction

Cisco has released a security advisory to address two critical vulnerabilities and one medium severity vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, and specific configurations of the Cisco IOS, IOS XE, and IOS XR operating systems. Cisco ASA and FTD are security appliances that provide intrusion prevention system (IPS), virtual private network (VPN) and firewall capabilities.

Vulnerability Details

CVE-2025-20333 is a "buffer copy without checking size of input" vulnerability with a CVSSv3 score of 9.9. Successful exploitation could allow an authenticated, remote attacker to execute arbitrary code on an affected device.
CVE-2025-20362 is a "missing authorisation" vulnerability with a CVSSv3 score of 6.5. Successful exploitation could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication that should otherwise be inaccessible without authentication.
CVE-2025-20363 is a "heap-based buffer overflow" vulnerability with a CVSSv3 score of 9.0. Successful exploitation could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device.

Exploitation of the vulnerabilities, when chained together, could allow an unauthenticated, remote attacker to gain full control of an affected device.

Remediation advice

Organisations must review Cisco's Continued Attacks Against Cisco Firewalls article and complete the steps detailed below.

If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected].

Note: Organisations running end-of-life appliances must upgrade to a supported version.

Remediation steps

Type	Step
Action	Optional: Pre-Requisite Action To preserve critical forensic data, organisations are strongly encouraged to perform a core dump as per "Part One: Collect Artifacts from the Device" of CISA's guidance, before completing the required actions detailed below. This action needs to be carried out before any patches are applied. Note: If organisations choose to carry out this action, CISA advises that organisations must complete the actions in the order they are listed and exactly as written. If evidence of compromise is detected, organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. Organisations are not required to complete "Part Two: Upload Core Dump in CISA Malware Next Generation". https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions
Patch	Required: (ASA and FTD appliances) Update to the Latest Supported Version Organisations must update to the latest supported version for their appliance. Fixed versions are detailed below: ASA 9.12.4.72 9.14.4.28 9.16.4.85 9.18.4.67 9.20.4.10 9.22.2.14 9.23.1.19 FTD 7.0.8.1 7.2.10.2 7.4.2.4 7.6.2.1 7.7.10.1 Note: End-of-life appliances must be upgraded to a supported patched version. If organisations are unable to apply the relevant security update to their appliance, it is strongly recommended that they disable IKEv2 Client Services and all SSL VPN services as a temporary measure only. Note: Organisations can only confirm compromise of their appliance by applying the recommended patch; otherwise, their appliances remain at risk. https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
Action	Required: Check for the Creation or Modification of firmware_update.log on disk0: After applying the relevant security update, organisations must reboot the affected appliance. The fixed release will check for and remove the persistence mechanism used by the attacker and write or append the output to the *firmware_update.log* file on *disk0:. Organisations must check for the creation or modification of firmware_update.log*. This is an indicator of compromise, and if present, organisations should continue to the next step. https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
Action	Required: If firmware_update.log Has Been Created or Modified If this file has been created or modified, organisations should assume full compromise of their appliance. Organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. Organisations are strongly encouraged to reset the device to factory settings, and replace all configurations (including all local passwords, certificates, and keys). Organisations are also strongly encouraged to open a support case with the Cisco Technical Assistance Center (TAC). https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
Patch	Required: (IOS, IOS XE, and IOS XR appliances) Update to the Latest Supported Version Organisations must use the Cisco Software Checker tool to determine the latest version available for their device, and apply the relevant patch. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-20333

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device.

Status Published

CVE-2025-20362

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.

Status Published

CVE-2025-20363

A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device. For more information about this vulnerability, see the Details ["#details"] section of this advisory.

Last edited: 26 September 2025 12:05 pm