Cisco ASA Firewall Zero-Day Exploits Deliver RayInitiator and LINE VIPER Malware

/ Daily Cyber News, Exploitation, Vulnerabilities, Zero-Day

The U.K. National Cyber Security Centre (NCSC) and Cisco have confirmed active exploitation of recently disclosed vulnerabilities in Cisco ASA firewalls to deploy highly persistent and evasive malware families, called RayInitiator and LINE VIPER. The campaign, attributed to a cluster named ArcaneDoor and linked to UAT4356 (aka Storm-1849), targets ASA 5500-X Series appliances, and in some cases, modifies ROMMON to remain persistent across reboots.
image import–asa-bootkit

What happened, who is affected, and when

In May 2025 Cisco began investigating intrusions against multiple government networks, which led to discovery of attacks that exploited several zero-day flaws in Adaptive Security Appliance (ASA) 5500-X Series devices. The U.K. NCSC, in an advisory released September 25, confirmed the deployment of a multi-stage bootkit, RayInitiator, which in turn loads a user-mode shellcode loader named LINE VIPER. Cisco also reported a separate critical web-service vulnerability that has been patched, and the Canadian Centre for Cyber Security urged rapid updates.

Technical overview, tactics, and impact

Attackers exploited at least two tracked vulnerabilities, CVE-2025-20362 (CVSS 6.5) and CVE-2025-20333 (CVSS 9.9), to bypass authentication and execute code on vulnerable ASA appliances, enabling the installation of persistent firmware-level implants. In some instances, adversaries altered ROMMON, the read-only monitor used for boot and diagnostics, to survive firmware upgrades and reboots, but those ROMMON modifications were observed only on ASA 5500-X models that lack Secure Boot and Trust Anchor protections.

The campaign shows advanced evasion techniques, including disabling logging, intercepting CLI commands, and intentionally crashing devices to frustrate forensic analysis. Attackers also modified a legitimate ASA binary named lina, which handles core firewall functions, to load LINE VIPER while leaving minimal forensic traces.

RayInitiator, the bootkit

RayInitiator is described as a persistent bootkit, similar to a GRUB-style bootloader, that is flashed onto victim devices. Its role is to persist through reboots and firmware upgrades, and to load LINE VIPER into memory, ensuring the implant is active each boot. Because it lives at a low level, detection and removal are more complex than typical user-mode malware.

LINE VIPER, the loader and backdoor

LINE VIPER functions as a user-mode shellcode loader and backdoor, capable of:

  • Running CLI commands on the appliance,
  • Capturing packets,
  • Bypassing VPN AAA (Authentication, Authorization, Accounting) for actor-controlled devices,
  • Suppressing syslog messages,
  • Harvesting user CLI commands,
  • Forcing delayed reboots to evade analysis.

LINE VIPER supports two C2 (command-and-control) channels, WebVPN client authentication sessions over HTTPS, and ICMP with raw TCP responses, which increases its flexibility and stealth. Compared to earlier tooling used by ArcaneDoor in 2024, this malware pair shows clear improvement in operational security and detection evasion.
image import–line-viper-comms

Affected products and lifecycle notes

Cisco reported that ASA 5500-X Series devices running ASA Software releases 9.12 or 9.14 with VPN web services enabled, and lacking Secure Boot and Trust Anchor, are affected. Many impacted models have reached end-of-support (EoS), or are close to reaching it, which increases risk because unsupported devices do not receive ongoing fixes. Cisco-listed EoS dates include, but are not limited to:

  • 5512-X and 5515-X, Last Date of Support, August 31, 2022,
  • 5585-X, Last Date of Support, May 31, 2023,
  • 5525-X, 5545-X, 5555-X, Last Date of Support, September 30, 2025.

Cisco also fixed a third critical issue, CVE-2025-20363 (CVSS around 8.5 to 9.0), affecting web services in ASA Software, Secure Firewall Threat Defense (FTD), IOS, IOS XE, and IOS XR. That vulnerability could allow remote code execution as root if an attacker crafts specific HTTP requests and overcomes mitigations, though Cisco said there is no evidence this particular flaw was exploited in the wild.

Attribution and assessment

Security vendors and government agencies assess the activity as linked to the ArcaneDoor cluster, attributed to UAT4356, a suspected China-linked actor also tracked as Storm-1849. The sophistication of the bootkit plus the stealthy user-mode loader suggests a mature, well-resourced operation focused on long-term persistence and data access.

Detection and mitigation guidance

Organizations that operate affected ASA 5500-X appliances should, as a priority:

  1. Identify impacted devices, confirm software versions and whether VPN web services are enabled,
  2. Apply Cisco vendor patches and firmware updates where available, including the fixes for CVE-2025-20362, CVE-2025-20333, and CVE-2025-20363,
  3. Replace or isolate devices that are end-of-support and cannot be upgraded, especially models without Secure Boot and Trust Anchor,
  4. Inspect devices for signs of ROMMON tampering and lina binary modifications, for example by comparing firmware images to known-good baselines,
  5. Preserve forensic evidence if compromise is suspected, and engage vendors or incident response teams,
  6. Harden logging and monitoring, re-enable or protect syslogs, and monitor for abnormal WebVPN or ICMP over raw TCP activity that could indicate LINE VIPER C2.
    image import–forensics-checklist

Conclusion

The RayInitiator and LINE VIPER campaign represents a notable escalation in attack sophistication against network security appliances, combining persistent boot-level implants with stealthy, flexible user-mode loaders. Organizations should treat the advisory seriously, prioritize patching and device lifecycle management, and assume that unsupported ASA 5500-X devices are high-risk if left connected to sensitive networks.

Related Posts