HomeGovernance Risk & ComplianceSecurity AwarenessZero-Day Threat Brief: State-Sponsored Actor Exploits Cisco ASA & FTD Vulnerabilities

Zero-Day Threat Brief: State-Sponsored Actor Exploits Cisco ASA & FTD Vulnerabilities

Zero-Day Threat Brief: State-Sponsored Actor Exploits Cisco ASA & FTD Vulnerabilities

Date

Follow Us

Executive Summary

In September 2025, Cisco disclosed three critical vulnerabilities impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) platforms. Two of these vulnerabilities — CVE-2025-20333 and CVE-2025-20362 — were actively exploited in the wild by a sophisticated, likely nation-state actor known as UAT4356 (also tracked as Storm-1849), the same group responsible for the ArcaneDoor campaign in 2024.

These attacks target perimeter security devices — firewalls and VPN gateways — enabling stealthy access into government and high-value enterprise networks. The campaign uses advanced malware, including a persistent bootkit (“RayInitiator”) and a memory-resident shellcode loader (“LINE VIPER”), to bypass traditional defenses and maintain long-term access.



Timeline of Events

  • September 25, 2025: Cisco publishes advisories for CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363.
  • Same Day: CISA issues Emergency Directive 25-03 mandating patching of federal systems.
  • UK NCSC: Releases malware analysis report detailing RayInitiator and LINE VIPER.
  • Tenable, Palo Alto Networks, and others: Release threat advisories supporting Cisco’s findings.


Vulnerabilities Overview

CVE Description CVSS Exploited
CVE-2025-20333Remote code execution (RCE) vulnerability in VPN web server of Cisco ASA/FTD9.9 (Critical)Yes
CVE-2025-20362Unauthorized access to restricted VPN endpoints6.7 (Medium)Yes
CVE-2025-20363RCE in web services affecting ASA, FTD, IOS, IOS XE, IOS XR9.0 (Critical)No

Two of the vulnerabilities (20333 and 20362) were used in combination to gain control of ASA/FTD appliances exposed to the internet. Cisco confirmed both were zero-day exploits at the time of detection.



Threat Actor & Malware Profile

Actor: UAT4356 / Storm‑1849

  • Previously linked to ArcaneDoor (April 2024)
  • Focused on stealth, persistence, and data exfiltration
  • Targeting government agencies and high-value organizations

RayInitiator (Bootkit):

  • Multi-stage GRUB-style bootloader
  • Persists across reboots and firmware updates on devices lacking secure boot
  • Launches additional payloads in early boot stages

LINE VIPER (Shellcode Loader):

  • Memory-resident payload, never written to disk
  • Communicates with C2 over WebVPN HTTPS or ICMP
  • Capable of deploying modular post-exploitation tooling


Patch Mapping (Examples)

Cisco has published fixed versions for actively supported software branches. Older releases may require full version migration.

ASA Fixed Versions

  • 9.16 → 9.16.4.85
  • 9.18 → 9.18.4.67
  • 9.19 → 9.19.1.42
  • 9.20 → 9.20.4.10
  • 9.22 → 9.22.2.14
  • 9.23 → 9.23.1.19

ASA 9.17 is not patched — migration required.

FTD Fixed Versions

  • 7.0 → 7.0.8.1
  • 7.2 → 7.2.10.2
  • 7.4 → 7.4.2.4
  • 7.6 → 7.6.2.1
  • 7.7 → 7.7.10.1

FTD 7.1 and 7.3 are not patched — migration required.



Immediate Response Checklist

1. Patch Affected Devices

  • Upgrade ASA and FTD software to Cisco’s fixed versions.
  • If on unsupported versions, initiate migration immediately.

2. Review VPN and Web Service Exposure

  • Disable WebVPN where possible.
  • Restrict external access until devices are confirmed clean.

3. Confirm Logging and Export Telemetry

  • Validate logs weren’t disabled or tampered with.
  • Export all available logs to external systems.

4. Hunt for Known Indicators of Compromise

  • Search for signs of RayInitiator or LINE VIPER.
  • Monitor WebVPN and ICMP activity for potential C2 channels.

5. Perform a Compromise Assessment

  • Analyze boot-level artifacts on ASA 5500-X and similar models.
  • Capture memory and configs for forensic review.


What Organizations Should Know

Lifecycle of a Zero-Day

State-sponsored actors often exploit zero-days months before detection. Once public, these exploits are quickly repurposed by cybercriminals. The result is a two-stage threat:

  1. Targeted, stealthy intrusions (by nation-state actors)
  2. Mass exploitation (by cybercriminals using retooled PoCs)

Patch-or-perish scenarios emerge — where unpatched organizations become low-hanging fruit for automated exploit kits.



How VerSprite Can Help

VerSprite offers tailored services across detection, response, validation, and hardening. Based on this specific campaign, the following services are especially relevant:

Managed SOC & Threat Visibility

  • TIG09 – Managed Log Management & Monitoring
    Centralized log ingestion, anomaly detection, and retention. Perfect for environments where ASA/FTD telemetry may be missing or corrupted.
  • TIG14 – Compromise Assessments
    Identify indicators of compromise across edge devices and internal infrastructure.

Threat & Vulnerability Management

  • TIG11 – Vulnerability Assessments
    One-time or recurring scans of Cisco devices and other edge systems.
  • TIG13 – TVM Subscription
    Ongoing vulnerability scanning, threat intelligence correlation, and mitigation prioritization.
  • TIG30 – Continuous Exposure Management
    Combines attack path modeling and exposure validation to reduce real-world risk.

Detection Engineering

  • TIG27 – Detection-as-a-Service
    Ongoing creation and optimization of detection rules for WebVPN, ICMP, and memory-resident malware.
  • TIG32 – Adversary Emulation & MITRE Gap Assessments
    Test your SIEM/SOAR/EDR’s ability to detect similar threats using emulation tools.

Incident Response & Forensics

  • TIG06 – Intrusion Handling & Response
    On-demand response, coordination, and root cause analysis.
  • TIG16 – DFIR Retainer
    Full-scope digital forensics and IR for persistent access campaigns.
  • TIG29 – IR Advisory Retainer
    Ongoing access to senior IR experts to develop playbooks and support incident escalations.

Engineering & Hardening

  • TIG21 – Security Tool Deployment & Configuration
    Get maximum visibility from Cisco ASA/FTD, SIEM, EDR, and telemetry sources.
  • TIG28 – Security Engineering Advisory Retainer
    Flexible access to senior security architects for tuning, validation, and strategy alignment.


Contact VerSprite

Let VerSprite help you stay ahead of rapidly evolving threats and reduce your exposure to nation-state–level adversaries. Contact us to schedule a consultation or incident review today.

VerSprite’s Cyber Defense Group is ready to help.
 Whether you’re looking to harden your development pipeline, respond to a breach, or gain visibility across your software supply chain, our team combines deep expertise, proven methodology, and modern AI-driven tooling to keep your business ahead of the threat curve.

→ Learn more:
 Explore VerSprite’s Cyber Defense Services

→ Need immediate help with threat detection or IR?
 Contact VerSprite

  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /
  • /

You May Also Like

Another Day, Another Leak: CodeGPT and Prompt Injection

Another Day, Another Leak: CodeGPT and Prompt Injection
AI Automation

When AI Automation Becomes the New Attack Surface
AI Prompt injection

Data Exfiltration via Image Rendering Fixed in Continue