ArcaneDoor Campaign Exploits Cisco Zero-Day Vulnerabilities

First reported

29.09.2025 15:36

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A threat cluster dubbed ArcaneDoor has been exploiting two zero-day vulnerabilities in Cisco firewalls to deliver previously undocumented malware families, RayInitiator and LINE VIPER. These vulnerabilities, CVE-2025-20362 and CVE-2025-20333, allow attackers to bypass authentication and execute malicious code on susceptible appliances. The campaign is linked to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849). The malware families represent a significant evolution in sophistication and evasion capabilities compared to previous campaigns. The attacks have been ongoing since at least September 2025, targeting organizations in various sectors. The exploitation of these vulnerabilities underscores the need for immediate patching and enhanced security measures for Cisco firewalls.

Timeline

29.09.2025 15:36 1 articles · 16h ago

ArcaneDoor Campaign Exploits Cisco Zero-Day Vulnerabilities
In September 2025, a threat cluster dubbed ArcaneDoor began exploiting two zero-day vulnerabilities in Cisco firewalls to deliver previously undocumented malware families, RayInitiator and LINE VIPER. The vulnerabilities, CVE-2025-20362 and CVE-2025-20333, allow attackers to bypass authentication and execute malicious code on susceptible appliances. The campaign is linked to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849). The malware families represent a significant evolution in sophistication and evasion capabilities, targeting organizations in various sectors.
Show sources

⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More — thehackernews.com — 29.09.2025 15:36
Open in new tab

Information Snippets

The ArcaneDoor campaign exploits two zero-day vulnerabilities in Cisco firewalls: CVE-2025-20362 (CVSS score: 6.5) and CVE-2025-20333 (CVSS score: 9.9).
First reported: 29.09.2025 15:36

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More — thehackernews.com — 29.09.2025 15:36
The vulnerabilities allow attackers to bypass authentication and execute malicious code on susceptible Cisco appliances.
First reported: 29.09.2025 15:36

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More — thehackernews.com — 29.09.2025 15:36
The campaign delivers two previously undocumented malware families: RayInitiator and LINE VIPER.
First reported: 29.09.2025 15:36

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More — thehackernews.com — 29.09.2025 15:36
The ArcaneDoor campaign is linked to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849).
First reported: 29.09.2025 15:36

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More — thehackernews.com — 29.09.2025 15:36
The malware families represent a significant evolution in sophistication and evasion capabilities.
First reported: 29.09.2025 15:36

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More — thehackernews.com — 29.09.2025 15:36
The attacks have been ongoing since at least September 2025, targeting organizations in various sectors.
First reported: 29.09.2025 15:36

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More — thehackernews.com — 29.09.2025 15:36