ArcaneDoor / UAT4356 Cisco ASA zero-day campaign targeting government agencies
Campaign
Summary
Hide ▲
Show ▼
The ArcaneDoor operation linked to UAT4356 (aka Storm-1849) targeted Cisco ASA 5500-X Series devices at multiple government agencies, creating a path for malware implantation, command execution, and possible data exfiltration. The campaign abused CVE-2025-20362 and CVE-2025-20333 as zero-days to bypass authentication and run malicious code. Operators deployed RayInitiator and LINE VIPER to persist on appliances and reduce forensic visibility. The activity spanned May 2025 through September 2025, and many affected devices were already end-of-support or close to it.
Related Happenings
Federal civilian executive branch agency hit by network compromise
Incident
First: 24.04.2026 23:34
Last: 24.04.2026 23:34
Sources 1
About this happening:
A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Federal civilian executive branch agency hit by network compromise
IncidentAbout this happening: A **federal civilian executive branch agency** was compromised in an **early September 2025** intrusion that left attackers with persistent access on **Cisco Firepower** and **Sec...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
Vulnerability
First: 24.04.2026 20:06
Last: 24.04.2026 20:06
Sources 1
How related:
Cisco is urging customers to patch two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild.
About this happening:
**Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
Cisco ASA/FTD code execution and authentication bypass flaws (multiple vulnerabilities)
VulnerabilityHow related: Cisco is urging customers to patch two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild.
About this happening: **Cisco ASA/FTD** vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** are still under **active exploitation** and can be chained for **unauthenticated remote control** of af...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware Activity
First: 23.04.2026 15:00
Last: 23.04.2026 15:00
Sources 1
About this happening:
CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
FIRESTARTER malware on Cisco ASA and FTD devices
Malware ActivityAbout this happening: CISA has published analysis of **FIRESTARTER**, a malware strain that enables **remote access and control** on **Cisco Firepower** and **Secure Firewall** devices, raising the ris...
Latest development: 24.04.2026 23:34
CISA, NCSC-UK, and Cisco detailed Firestarter persistence on Cisco Firepower and Secure Firewall devices running ASA or FTD software, attributing the backdoor to UAT-4356 and linking the activity to ArcaneDoor. The malware modifies CSP_MOUNT_LIST, stores a copy in /opt/cisco/platform/logs/var/log/svc_samcore.log, restores itself to /usr/bin/lina_cs, and relaunches after termination or reboot; Cisco recommends reimaging and upgrading to fixed releases, or using a cold restart only if reimaging is not possible.
SilentGlass launch as a monitor-connection protection security device
Security Tool/Service
First: 22.04.2026 18:00
Last: 22.04.2026 18:00
Sources 1
About this happening:
The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...
SilentGlass launch as a monitor-connection protection security device
Security Tool/ServiceAbout this happening: The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
Timeline
-
25.09.2025 03:00 2 articles · 8mo ago
U.K. NCSC discloses Cisco ASA zero-day exploitation
Initial DisclosureOn September 25, 2025, the U.K. NCSC disclosed zero-day exploitation of Cisco ASA 5500-X Series devices using CVE-2025-20362 and CVE-2025-20333 to deliver the RayInitiator bootkit and LINE VIPER malware, enabling persistence, command execution, VPN auth bypass, syslog suppression, and possible data exfiltration. Cisco said it had been investigating attacks on multiple government agencies since May 2025, including ROMMON modification on exposed ASA 5500-X platforms lacking Secure Boot and Trust Anchor technologies, and separately addressed CVE-2025-20363 with no evidence of in-the-wild exploitation.
Show sources
- Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware — thehackernews.com — 26.09.2025 08:51
- Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware — thehackernews.com — 26.09.2025 08:51