A sophisticated state-sponsored campaign, linked to China-aligned threat actor UAT4356 (Storm-1849), is actively exploiting critical zero-day vulnerabilities in Cisco ASA and FTD firewalls.
These vulnerabilities allow attackers to bypass authentication, execute code, and deploy persistent malware that survives reboots and firmware upgrades.
These vulnerabilities allow attackers to bypass authentication, execute code, and deploy persistent malware that survives reboots and firmware upgrades.
Cisco and CISA have issued an emergency directive (ED 25-03) urging all organizations to take immediate action.
This guide provides a complete overview of the threats, affected systems, and critical steps for mitigation and incident response.
Understanding the Cisco Zero-Day Vulnerabilities
On September 25, 2025, Cisco patched three critical security flaws in the VPN web server of its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.
These vulnerabilities have been exploited in the wild since May 2025.
These vulnerabilities have been exploited in the wild since May 2025.
The flaws are tracked as:
• CVE-2025-20362: A URL path-normalization flaw that allows authentication bypass for Clientless SSL VPN (WebVPN) endpoints. (No authentication required)
• CVE-2025-20363: An information disclosure vulnerability. (No authentication required)
• CVE-2025-20333: A heap buffer overflow in the WebVPN file-upload handler that can lead to remote code execution. (Authentication required)
Key Takeaway:
Attackers are chaining CVE-2025-20362 (bypass) with CVE-2025-20333 (code execution) to gain full control of vulnerable devices.
Are You at Risk? Affected Cisco Devices
Your organization is at high risk if you are using the following Cisco ASA 5500-X Series models:
• Affected Models: 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X
• Affected Software: Running Cisco ASA Software Release 9.12 or 9.14
• Critical Factor: VPN web services enabled without Secure Boot and Trust Anchor technologies.
These devices are often nearing or past their end-of-support (EoS) date, making them prime targets.
• Affected Models: 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X
• Affected Software: Running Cisco ASA Software Release 9.12 or 9.14
• Critical Factor: VPN web services enabled without Secure Boot and Trust Anchor technologies.
These devices are often nearing or past their end-of-support (EoS) date, making them prime targets.
Immediate Actions: Patch, Hunt, and Mitigate
Follow this step-by-step guide to secure your network against these Cisco zero-day exploits.
1. Identify and Inventory All Cisco ASA/FTD Devices
Compile a complete list of all deployed ASA and FTD devices in your infrastructure. Prioritize any that are public-facing.
2. Apply Cisco’s Patches Immediately
Cisco has released patches for all affected ASA, ASAv, and FTD devices. Download and apply the latest software updates now. Federal agencies and critical infrastructure are mandated to patch by September 26, 2025—all organizations should adhere to this deadline.
3. Perform Threat Hunting as Directed by CISA
Do not assume patching alone is sufficient. You must actively hunt for signs of compromise.
Follow CISA’s Core Dump and Hunt Instructions (Parts 1–3) for public-facing ASA devices.
If you detect a compromise:
Immediately disconnect the device from the network (DO NOT power it off).
Report the incident to CISA.
Cisco Recommendation: After upgrading to a fixed release, reset the device to factory defaults and reconfigure it from scratch with new passwords, certificates, and keys.
If no compromise is detected, proceed with patching and continue monitoring.
Advanced Threat Analysis: How the Attack Works
This campaign represents a significant evolution of the ArcaneDoor methodology, using advanced techniques for stealth and persistence.
Malware and Persistence Mechanisms:
RayInitiator: A sophisticated bootkit that modifies the GRUB bootloader on Cisco ASA 5500-X devices.
This provides firmware-level persistence that survives device reboots and even firmware upgrades.
LINE VIPER: A modular payload system that enables command execution, network traffic capture, authentication bypass, and log suppression.
It uses encrypted WebVPN or ICMP channels for communication and includes anti-forensic capabilities.
The Attack Chain:
Reconnaissance: Attackers scan the internet for exposed Cisco ASA WebVPN / HTTPS interfaces.
Initial Access: Abuse CVE-2025-20362 to bypass authentication.
Exploitation: Chain the bypass with CVE-2025-20333 to achieve remote code execution.
Persistence: Deploy the RayInitiator bootkit to maintain permanent access.
Post-Exploitation: Use LINE VIPER to capture packets, dump configurations, create backdoor accounts, and exfiltrate data.
Anti-Forensics: Systematically disable logging, intercept CLI commands, and crash devices to prevent analysis.
Initial Access: Abuse CVE-2025-20362 to bypass authentication.
Exploitation: Chain the bypass with CVE-2025-20333 to achieve remote code execution.
Persistence: Deploy the RayInitiator bootkit to maintain permanent access.
Post-Exploitation: Use LINE VIPER to capture packets, dump configurations, create backdoor accounts, and exfiltrate data.
Anti-Forensics: Systematically disable logging, intercept CLI commands, and crash devices to prevent analysis.
Attribution: China-Aligned Threat Actor UAT4356
This campaign is attributed to UAT4356 (Storm-1849), a well-resourced, China-aligned threat actor specializing in perimeter device exploitation.
In 2024, this same group was observed exploiting earlier Cisco ASA/FTD zero-days (CVE-2024-20353, CVE-2024-20359) to deploy Line Runner and Line Dancer malware.
In 2024, this same group was observed exploiting earlier Cisco ASA/FTD zero-days (CVE-2024-20353, CVE-2024-20359) to deploy Line Runner and Line Dancer malware.
Your Next Critical Step
Do not delay. The exploitation of these vulnerabilities is ongoing and widespread.
The combination of authentication bypass and remote code execution poses an extreme risk to network perimeter security.
The combination of authentication bypass and remote code execution poses an extreme risk to network perimeter security.
