The attackers, linked to a cluster known as ArcaneDoor and attributed to a suspected China-linked hacking group called UAT4356 (or Storm-1849), exploited multiple zero-day
A sophisticated, state-sponsored cyber-espionage campaign is targeting major government agencies by exploiting newly disclosed security flaws in Cisco firewalls, according to warnings issued by the UK’s National Cyber Security Centre (NCSC).
The attackers are leveraging two critical zero-day vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) firewalls to deliver two previously undocumented and highly advanced malware families, dubbed RayInitiator and LINE VIPER.
The NCSC stated that the new malware represents a “significant evolution” in sophistication and ability to evade detection compared to previous campaigns linked to the same threat cluster.
Cisco disclosed on Thursday that it began investigating attacks linked to the campaign in May 2025. The activity has focused on older, often end-of-support (EoS) ASA 5500-X Series devices running Cisco Secure Firewall ASA Software with VPN web services enabled.
The attackers, linked to a cluster known as ArcaneDoor and attributed to a suspected China-linked hacking group called UAT4356 (or Storm-1849), exploited multiple zero-day flaws to execute malicious code and potentially exfiltrate data.
The vulnerabilities are tracked as CVE-2025-20362 (CVSS score: 6.5) and the highly critical CVE-2025-20333 (CVSS score: 9.9), which allows attackers to bypass authentication and execute code on vulnerable appliances.
Cisco observed that the hackers employed advanced evasion techniques, including disabling logging, intercepting command line interface (CLI) commands, and intentionally crashing devices to prevent diagnostic analysis.
Crucially, many of the compromised ASA 5500-X Series models are reaching or have already reached their official end-of-support dates, making them more vulnerable.
The NCSC revealed that the attacks have used a multi-stage bootkit called RayInitiator to achieve persistence. RayInitiator is a persistent GRand Unified Bootloader (GRUB) bootkit that is flashed to the victim device’s memory, allowing it to survive reboots and even firmware upgrades.
This bootkit is then used to deploy LINE VIPER, a user-mode shellcode loader capable of performing a wide range of hostile functions, including:
Running CLI commands.
Performing packet captures.
Bypassing VPN authentication for the threat actor’s devices.
Suppressing system logs (syslog messages).
Harvesting user CLI commands.
LINE VIPER accomplishes its goals by modifying a core firewall component called “lina” (Linux-based Integrated Network Architecture) to ensure its execution and avoid forensic detection. The NCSC noted that the deployment of this persistent bootkit, combined with sophisticated defence evasion, demonstrates a significant increase in the attackers’ operational security.
Cisco also addressed a third, separate critical flaw (CVE-2025-20363) in its web services, which could also allow a remote attacker to execute arbitrary code with root privileges, leading to the complete compromise of the device. While there is no evidence this specific flaw has been exploited in the wild, cybersecurity agencies, including the Canadian Centre for Cyber Security, have urged organisations to update their affected Cisco ASA and FTD products immediately.
