A sophisticated, state-sponsored threat actor tracked as ArcaneDoor is actively exploiting two new zero-day vulnerabilities in Cisco firewalls. The campaign deploys a dangerous malware cocktail to conduct espionage against government networks.

• Threat: A highly advanced campaign targeting critical network infrastructure.
• Malware Used: LINE VIPER (a stealthy backdoor) and RayInitiator (a persistent bootkit).
• Impact: Complete device takeover, data theft, and long-term, undetectable network access.
• Action: Immediate patching and threat hunting are critical.

Background: Who is ArcaneDoor?

ArcaneDoor is a newly identified, highly sophisticated threat actor believed to be operating on behalf of a nation-state. Intelligence from security agencies and threat researchers indicates the group’s primary motive is espionage, with a strategic focus on government and critical infrastructure sectors.

Key characteristics of this actor include:

• High-Level Skill: ArcaneDoor demonstrates exceptional technical capability by discovering and weaponizing multiple zero-day vulnerabilities in hardened enterprise security devices.
• Custom Tooling: The group develops and deploys a bespoke malware suite (LINE VIPER, RayInitiator) designed for maximum stealth, persistence, and evasion.
• Extreme Stealth: Their tactics, techniques, and procedures (TTPs) are meticulously designed to avoid detection, including advanced anti-forensic measures and operating in memory to leave a minimal footprint.
• Targeted Operations: Rather than widespread attacks, ArcaneDoor conducts focused, intelligence-driven campaigns against high-value targets.

Vulnerability Details

The attackers are chaining two key vulnerabilities:

CVE-ID	CVSS Score	EPSS Score*	Vulnerability & Impact	Affected Devices
CVE-2025-20333	9.9	96.55%	Allows an attacker with VPN credentials to execute code with the highest privileges (root).	Cisco ASA 5500-X series (5512-X to 5585-X) without Secure Boot
CVE-2025-20362	6.5	2.22%	Allows an unauthenticated attacker to access restricted parts of the device.	Cisco ASA 5500-X series (5512-X to 5585-X) without Secure Boot

How the Attack Works: The Infection Chain

The attack unfolds in a precise, multi-stage sequence designed for stealth and persistence:

1. Initial Breach: Attackers exploit the vulnerabilities to gain their first foothold on an unpatched Cisco ASA device.
2. Backdoor Deployed: The exploit is used to inject the LINE VIPER backdoor directly into the device’s memory, leaving no immediate trace on the disk.
3. Persistence Established: From memory, LINE VIPER deploys the RayInitiator bootkit.
4. Deep Infection: RayInitiator is flashed to the device’s ROM, altering the very first code that runs when the device starts up (the GRUB bootloader).
5. Long-Term Access: Every time the device reboots, RayInitiator ensures LINE VIPER is reloaded, giving the attackers persistent control.

The Malware Deployed

The campaign uses a specialized two-part malware system:

RayInitiator – The Persistence Tool

• Function: A GRUB bootkit that ensures the main backdoor survives reboots and even firmware updates.
• Stealth: Operates before the main operating system loads, making it invisible to traditional security software.

LINE VIPER – The Backdoor

• Function: An in-memory backdoor that gives attackers full control.
• Capabilities: Can execute commands, capture network traffic, and steal credentials.
• Anti-Forensics: Actively hides its tracks by disabling logs and even crashing the device to prevent analysis.

Techniques and Tactics

TTP ID	Technique Name	Description
T1190	Exploit Public-Facing Application	Gaining initial entry by exploiting the zero-day vulnerabilities in the Cisco ASA device.
T1542	Pre-OS Boot	Using the RayInitiator bootkit to modify the bootloader for persistent malware loading.
T1014	Rootkit	RayInitiator acts as a bootkit to hide the LINE VIPER backdoor from the operating system.
T1070	Indicator Removal on Host	LINE VIPER actively disables logging and manipulates system commands to evade detection.
T1059	Command and Scripting Interpreter	The backdoor provides shell access to execute any command on the compromised firewall.
T1003	OS Credential Dumping	The malware is designed to capture and steal administrator credentials entered via the command line.

Impact: What’s at Risk?

• Complete Network Takeover: Attackers gain full, persistent control over the gateway to your network.
• Data Espionage: The primary goal is to steal sensitive data by moving silently from the firewall into the internal network.
• Silent Persistence: The advanced anti-forensic techniques make this threat extremely difficult to detect and remove.

Visual: ArcaneDoor Attack Flow

[Attacker] -> [Exploit ASA Zero-Days] -> [LINE VIPER Deployed to Memory] -> [RayInitiator Flashed to ROM] -> [GRUB Modified] -> [Persistent Control & C2] -> [Data Exfiltration / Lateral Movement]

What You Need to Do Now: Mitigation Steps

1. Patch Immediately: Apply Cisco’s emergency security updates to all affected devices without delay.
2. Replace Old Hardware: As recommended by the NCSC, replace end-of-life ASA 5500-X models. Newer hardware with Secure Boot is more resilient to this type of attack.
3. Hunt for a Breach: Follow Cisco’s official detection guides to search for signs of compromise. Monitor for unexpected reboots, crashes, or disabled logging on ASA devices.
4. Rotate All Credentials: Immediately change all passwords, certificates, and keys on any device that has been updated or is suspected of compromise.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.