A sophisticated state-sponsored hacking campaign is actively exploiting critical zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) firewalls, deploying stealthy malware that can survive reboots and firmware upgrades . The threat is considered severe enough that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took the rare step of issuing an Emergency Directive (ED 25-03), compelling all federal agencies to immediately identify and mitigate vulnerable devices .
This campaign, linked to the China-linked threat actor UAT4356 (Storm-1849) and connected to the earlier ArcaneDoor activity, represents a significant evolution in both sophistication and its ability to evade detection . For any organization using Cisco ASA or Firepower firewalls, this is not a routine update but a critical incident requiring immediate action.
The Vulnerabilities and The Malware
The attacks leverage two critical vulnerabilities to gain deep control of the firewall devices:
- CVE-2025-20333 (CVSS Score: 9.9): A remote code execution flaw that allows an unauthenticated attacker to run malicious code on the device .
- CVE-2025-20362 (CVSS Score: 6.5): A privilege escalation vulnerability that lets attackers gain higher-level permissions on the system .
The attackers use these flaws to deploy two novel and persistent malware families identified by the UK's National Cyber Security Centre (NCSC) :
- RayInitiator: A persistent GRUB bootkit flashed directly to the device's read-only memory (ROM). This allows it to survive device reboots and even system upgrades, making it extremely difficult to remove.
- LINE VIPER: A sophisticated user-mode shellcode loader deployed by RayInitiator. Once active, it can execute commands, perform packet captures, bypass VPN authentication, and manipulate system logs to hide its tracks .
Who is at Risk?
The campaign has successfully compromised Cisco ASA 5500-X Series models, particularly those that have reached or are nearing end-of-support (EoS) and lack Secure Boot and Trust Anchor technologies . The following models are confirmed to be vulnerable:
| Vulnerable Cisco ASA 5500-X Models | Last Date of Support |
|---|---|
| 5512-X, 5515-X | August 31, 2022 |
| 5585-X | May 31, 2023 |
| 5525-X, 5545-X, 5555-X | September 30, 2025 |
The attacks target devices running Cisco ASA Software releases 9.12 or 9.14 with VPN web services enabled . These firewalls are often deployed at the network perimeter, making them a high-value target for gaining a foothold inside an organization.
What You Need to Do: An Action Plan
CISA's Emergency Directive provides a clear roadmap for all organizations, not just federal agencies, to respond to this threat .
- Immediate Inventory and Assessment
- Identify all Cisco ASA platforms (hardware, virtual, service modules) and Firepower Threat Defense (FTD) appliances on your network.
- Use the CISA-provided "Core Dump and Hunt Instructions" to collect forensic data from public-facing Cisco ASA appliances and check for signs of compromise . Submit suspicious files to CISA's Malware Next Gen portal for analysis.
- Patching and Decommissioning
- Apply Updates Immediately: For supported devices, download and apply the latest Cisco-provided updates immediately. CISA mandated that agencies complete this by September 26, 2025, and apply all future updates within 48 hours of release .
- Disconnect Unsupported Hardware: For ASA hardware models that have already reached end-of-support, the only safe course of action is to permanently disconnect and decommission them . These legacy devices cannot be secured against this threat.
- Assume Compromise and Investigate
The Bottom Line
The exploitation of these Cisco ASA zero-days is a stark reminder that network perimeter devices are prime targets for advanced threat actors. The use of persistent malware that survives reboots and upgrades is particularly concerning and demonstrates a high level of sophistication.
Immediate action is not just recommended—it is essential for network security. By following the steps outlined by CISA and Cisco, organizations can evict attackers from their networks and protect their critical infrastructure from this ongoing campaign.