The U.K. National Cyber Security Centre (NCSC) has revealed that threat actors have exploited the recently disclosed security flaws impacting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER.
“The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in sophistication and its ability to evade detection,” the agency said.
Cisco on Thursday revealed that it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May 2025 that targeted Adaptive Security Appliance (ASA) 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.
An in-depth analysis of firmware extracted from the infected devices running Cisco Secure Firewall ASA Software with VPN web services enabled ultimately led to the discovery of a memory corruption bug in the product software, it added.
“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,” the company said.
The activity involves the exploitation of CVE-2025-20362 (CVSS score: 6.5) and CVE-2025-20333 (CVSS score: 9.9) to bypass authentication and execute malicious code on susceptible appliances. The campaign is assessed to be linked to a threat cluster dubbed ArcaneDoor, which was attributed to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849).
Additionally, in some cases, the threat actor is said to have modified ROMMON (short for Read-Only Memory Monitor) – which is responsible for managing the boot process and performing diagnostic tests in ASA devices – to facilitate persistence across reboots and software upgrades. That being said, these modifications have been detected only on Cisco ASA 5500-X Series platforms that lack Secure Boot and Trust Anchor technologies.
Cisco also said the campaign has successfully compromised ASA 5500-X Series models running Cisco ASA Software releases 9.12 or 9.14 with VPN web services enabled, and which do not support Secure Boot and Trust Anchor technologies. All the affected devices have reached end-of-support (EoS) or are about to reach EoS status by next week –
- 5512-X and 5515-X – Last Date of Support: August 31, 2022
- 5585-X – Last Date of Support: May 31, 2023
- 5525-X, 5545-X, and 5555-X – Last Date of Support: September 30, 2025
Furthermore, the company noted that it has addressed a third critical flaw (CVE-2025-20363, CVSS score: 8.5/9.0) in the web services of Adaptive Security Appliance (ASA) Software, Secure Firewall Threat Defense (FTD) Software, IOS Software, IOS XE Software, and IOS XR Software that could allow an remote attacker to execute arbitrary code on an affected device.
“An attacker could exploit this…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
