Active Exploitation of Zero-Day Vulnerabilities in Cisco ASA Devices

Cisco ASA and FTD platforms have been targeted in a sophisticated global attack campaign leveraging two zero-day vulnerabilities —> CVE-2025-20333 and CVE-2025-20362. The attacker deployed advanced malware dubbed RayInitiator and LINE VIPER, which persist on devices across reboots and firmware upgrades.
The urgency is underscored by CISA Emergency Directive ED-25-03, mandating immediate action for U.S. federal agencies, with global implications across all sectors using Cisco ASA platforms.

Severity: Critical

Threat Details

1. Threat Actor: Suspected Chinese espionage group (same actor behind 2024’s ArcaneDoor campaign)

2. Vulnerabilities exploited: CVE-2025-20363 (unauthenticated RCE), CVE-2025-20333 (RCE), and CVE-2025-20362 (unauthenticated access)

3. Malware Used:

• RayInitiator (bootkit)
  • RayInitiator is a persistent malware implanted in the bootloader (GRUB) of Cisco ASA devices. It survives reboots and firmware upgrades, enabling the attacker to load the secondary malware, LINE VIPER.
  • Key Capabilities: Deep persistence in firmware (ROMMON/GRUB); Injects itself during device boot; Establishes a stealthy execution path to launch LINE VIPER; Used only on devices without Secure Boot.
• LINE VIPER (modular shellcode)
  • LINE VIPER is a modular, in-memory implant executed post-boot. It provides the attacker full control over the device, with the ability to exfiltrate data, run commands, hide their presence, and capture network traffic.
  • Key Capabilities: Executed via malicious WebVPN requests; Grants attacker admin-level CLI access; Bypasses AAA authentication; Hides syslog entries & CLI commands; Collects packet captures and user activity; Communicates over HTTPS or ICMP.

4. Attack Flow:

• [Initial Access]
  • Exploitation of CVE-2025-20363 or CVE-2025-20362 → Unauthenticated access to WebVPN endpoint
  • Delivery of RayInitiator → Bootloader hijack (GRUB)
  • Install of LINE VIPER loader into lina
  • Exploitation of CVE-2025-20333 → Remote Code Execution
  • Execution of LINE VIPER modules
  • Persistence & command/control over VPN sessions or ICMP

Affected Products

1. These vulnerabilities affect Cisco devices if they were running a vulnerable release of Cisco Secure Firewall ASA Software or Cisco Secure FTD Software:
   Cisco ASA Software Releases: 9.12, 9.14, 9.16, 9.17, 9.17, 9.18, 9.19, 9.20, 9.22, 9.23
   Cisco FTD Software Releases: 7.0, 7.1, 7.2, 7.3, 7.4, 7.6, 7.7
2. CVE-2025-20363 affects:
   IOS and IOS XE Software if they have the Remote Access SSL VPN feature enabled
   IOS XR Software (32-bit) if it is running on Cisco ASR 9001 Routers that have the HTTP server enabled

Recommendations

1. Cisco strongly recommends that customers upgrade to a fixed release. If the device is vulnerable but cannot be upgraded due to end of life or support status, Cisco strongly recommends that the device be migrated to supported hardware and software.
2. Ensure Cisco ASA, FTD, IOS, IOS XE, and IOS XR Software are running the latest security updates.
3. Mitigation (temporary only): Disable all SSL/TLS-based VPN web services. This includes disabling IKEv2 client services that facilitate the update of client endpoint software and profiles as well as disabling all SSL VPN services.
4. In cases of suspected or confirmed compromise on any Cisco firewall device, all configuration elements of the device should be considered untrusted.
   Cisco recommends that all configurations – especially local passwords, certificates, and keys – be replaced after the upgrade to a fixed release. This is best achieved by resetting the device to factory defaults after the upgrade to a fixed release using the configure factory-default command in global configuration mode and then reconfiguring the device with new passwords, certificates, and keys from scratch. If the configure factory-default command should not be supported, use the commands write erase and then reload instead.
5. If the file firmware_update.log is found on disk0: after upgrade to a fixed release, customers should open a case with the Cisco Technical Assistance Center (TAC) with the output of the show tech-support command and the content of the firmware_update.log file.
6. Use CISA’s Core Dump & Hunt instructions for compromised ASA analysis
   https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions
7. Use Cisco’s Detection Guidance to identify potential malicious activity targeting devices running Cisco ASA or FTD Software that are configured as VPN head ends.
   https://sec.cloudapps.cisco.com/security/center/resources/detection_guide_for_continued_attacks

Source:

• https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
• https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf
• https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
• https://www.ncsc.gov.uk/news/persistent-malicious-targeting-cisco-devices

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.