Alert essentials:
A threat actor is actively exploiting zero-day vulnerabilities in Cisco ASA firewall appliances to infiltrate critical infrastructure networks, including those in the healthcare sector.
The attackers deploy stealthy malware implants that turn off logging, bypass VPN authentication, and persist in device firmware, enabling long-term access and data exfiltration. Healthcare networks using legacy ASA devices are at heightened risk of patient data breaches, clinical system compromise, and regulatory violations. Immediate patching, forensic scanning, and device replacement are strongly advised.
Detailed threat description:
Malicious actors have been targeting networks through compromised Cisco WebVPN sessions since late 2023. ArcaneDoor was a cyber-espionage campaign that primarily targeted Cisco ASA firewalls in critical infrastructure environments from late 2023 to early 2024.
Cisco Talos and PSIRT investigated and identified a previously unknown state-sponsored actor that had developed malware for Cisco ASA. The brand acknowledged that attackers were indeed exploiting these vulnerabilities in the wild to gain control of ASA 5500-X series appliances and released patches in April 2024.
Today, a new wave of attacks against Cisco ASA and Firepower devices is underway, and the campaign is traced to the same threat actor, UAT4356 or STORM-1849. The attackers are leveraging at least two new zero-day vulnerabilities in Cisco ASA software.
CVE-2025-20333 allows remote code execution as root, albeit requiring valid VPN credentials to trigger in some cases. CVE-2025-20362 could be used to bypass authentication and access restricted URLs on the ASA. When chained together, these flaws allow an unauthenticated, remote takeover of vulnerable ASA devices. Permitting a threat actor to directly pivot into an organization, reroute or modify traffic, and monitor network communications.
Additionally, two new malware families used in the latest campaign represent a significant evolution of the threat actors with growing sophistication and stealth. “Rayinitiator” is a persistent boot kit integrated with the device’s bootloader firmware. The boot kit remains after reboots and even ASA software upgrades. “LINE VIPER” is a user-mode payload that slithers into the ASA operating system at runtime.
As with 2024, the 2025 campaign has primarily struck government agencies and critical infrastructure to date. CISA describes the campaign as widespread, resulting in remote code execution and the manipulation of read-only memory that persists through reboots and system upgrades. While CISA’s emergency directive only applies to federal agencies, the private sector often follows these urgent warnings closely.
Organizations should follow CISA’s step-by-step Core Dump and Hunt Instructions, Parts 1-3. If the result is “Compromise Detected,” federal agencies are required to immediately disconnect the device from their network (without powering it off), report the incident to CISA via the Malware Next Gen portal, and collaborate with CISA on incident response and remediation actions.
If the result is “No Compromise Detected” on ASA hardware models with an end-of-support date on or before September 30, 2025, permanently disconnect these devices. These legacy platforms/releases cannot meet current vendor support and update requirements.
Organizations using ASA hardware with an August 31, 2026, end-of-support date, ASAv, or Firepower FTD should download and apply the latest Cisco-provided software updates and apply all subsequent updates via Cisco’s download portal.
Impacts on healthcare organizations:
Healthcare organizations face serious risks from the exploitation of Cisco ASA devices, including stealthy exfiltration of patient data and unauthorized access to clinical systems. The malware installs a persistent backdoor and a runtime payload, potentially disrupting operations and allowing attackers to remain undetected while harvesting sensitive patient information. Failure to patch or replace these devices could lead to HIPAA violations, regulatory fines, and reputational damage.
Affected Products / Versions
CVEs
- CVE-2024-20353- CVSS 8.6- CWE-835
- CVE-2024-20359- CVSS 6.0- CWE-94
- CVE-2025-20333- CVSS 9.9- CWE-120
- CVE-2025-20362- CVSS 6.5- CWE-862
- CVE-2025-20363- CVSS 9.0- CWE-122
Indicators of Compromise (IoCs)
- Presence of the new malware and evidence of the exploited vulnerabilities
- Unexpected GRUB bootloader on ASA flash
- Existence of carved strings (a string extracted from a data stream) or behaviors
- Firmware_update.log appearing after ASA upgrade (indicates bootkit was removed)
- ASA devices are rebooting unexpectedly or without crash logs
- Syslog services are disabled or missing expected entries
- Unusual VPN login behavior or acceptance of invalid credentials
- Unexpected GRUB components or a cryptographic mismatch in ROMMON
- Signs of CVE-2025-20333 or CVE-2025-20362 exploitation in logs or telemetry
Tactics, Techniques, and Procedures (TTPs)
| MITRE Technique | Description |
|---|---|
| T1190 – Exploit Public-Facing Application | Exploitation of Cisco ASA VPN web services using CVE-2025-20333 and CVE-2025-20362 |
| T1059 – Command-Line Interface | Execution of arbitrary CLI commands on ASA devices via implanted malware. |
| T1542.003 – Bootkit | Use of the Rayinitiator bootloader implant to persist malware in ASA firmware |
| T1014 – Rootkit | LINE VIPER hooks the ASA OS functions to hide its presence and intercept admin commands |
| T1190 – Exploit Public-Facing Application | Exploitation of Cisco ASA VPN web services using CVE-2025-20333 and CVE-2025-20362 |
| T1059 – Command-Line Interface | Execution of arbitrary CLI commands on ASA devices via implanted malware. |
| T1542.003 – Bootkit | Use of the Rayinitiator bootloader implant to persist malware in ASA firmware |
| T1014 – Rootkit | LINE VIPER hooks the ASA OS functions to hide its presence and intercept admin commands |
Recommendations
Engineering recommendations:
- Immediately identify all Cisco ASA platforms (ASA hardware, ASA-Service Module [ASA-SM], ASA Virtual [ASAv], and ASA firmware on Firepower 2100/4100/9300) and all Cisco Firepower Threat Defense (FTD) appliances.
- Apply Cisco’s latest security updates addressing CVE-2025-20333 and CVE-2025-20362
- Confirm patch integrity and verify that firmware update logs do not indicate prior compromise
- Remove legacy ASA 5500-X series devices that lack Secure Boot (e.g., 5512-X, 5525-X, 5545-X) and replace with hardware supporting Trust Anchor and Secure Boot
- Use Cisco’s detection tools and CISA’s guidance to identify Rayinitiator and LINE VIPER implants.
- Look for suppressed syslogs, unexpected reboots, and the presence of firmware_update.log
- Capture memory dumps and ROMMON images for analysis
- Rotate VPN credentials, admin passwords, and rebuild configurations from clean backups
- Monitor logs for signs of unauthorized access
- Limit VPN Exposure
Leadership / Program recommendations:
- Instruct the teams to account for all Cisco ASA and Firepower devices, collect forensic evidence, and assess compromise using CISA-provided procedures and tools. Disconnect end-of-support devices and upgrade devices that will remain in service.
- Direct threat hunting by instructing teams to scan for Rayinitiator and LINE VIPER implants
- Audit admin access to ASA devices and remove unused accounts
- Require memory and firmware analysis for high-risk devices
- Prepare to activate incident response plans and brief leadership on steps taken and risk posture status
- Budget to replace legacy hardware
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- CISA Emergency Directive: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
- CISA Malware Nextgen: https://secure.login.gov/
- CISA Supplemental Direction ED 25-03: Core Dump and Hunt Instructions: https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions
- Cisco Advisory for CVE-2024-20353: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2
- Cisco Advisory for CVE-2024-20359: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h
- Cisco Advisory for CVE-2025-20362: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
- Cisco Advisory for CVE-2025-20363: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
- Cisco Advisory for CVE-2025-20333: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
- Cisco ArcaneDoor: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/
- Cisco ASA Forensic Data Collection Procedures: https://sec.cloudapps.cisco.com/security/center/resources/forensic_guides/asa_forensic_investigation.html
- Cisco Security Event Response: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks