The UK National Cybersecurity Centre (NCSC) has revealed that threat actors will use recently disclosed security flaws as part of their zero-day attacks to provide previously undocumented families of malware, such as Rayinitator and Line Viper.
“RayInitiatator and Line Viper malware represent a significant evolution of what was used in previous campaigns, both in its sophisticated detection capabilities,” the agency said.
Cisco announced Thursday that it had launched an investigation into attacks against multiple government agencies related to the state-sponsored campaign in May 2025.
A detailed analysis of firmware extracted from infected devices running Cisco Secure Firewall ASA software using a VPN web service ultimately discovered a memory corruption bug in the product software.
“It has been observed that attackers have exploited multiple zero-day vulnerabilities and adopted advanced evasive techniques such as disabling logging, intercepting CLI commands, and preventing device crashes to prevent diagnostic analysis,” the company said.
This activity includes exploitation of CVE-2025-20362 (CVSS score: 6.5) and CVE-2025-20333 (CVSS score: 9.9). The campaign is rated as linked to a threat cluster called Arcanedoor. This is believed to be a suspected Chinese-related hacking group known as UAT4356 (aka Storm-1849).
Furthermore, in some cases, the threat actor is said to have changed Romnon (short for read-only memory monitor). It is responsible for managing the boot process and running diagnostic tests on ASA devices, enhancing the persistence of the entire reboot and software upgrade. That being said, these changes are only detected on the Cisco ASA 5500-X series platform, which lacks secure boot and reliable anchor technology.
Cisco also said that the ASA 5500-X series model running Cisco ASA software has successfully released 9.12 or 9.14, enabling VPN web services and not supporting secure boot and trust anchor technology. All affected devices have reached End of Support (EOS) or are about to reach EOS status by next week –
5512-X and 5515-X – Date of last support: August 31, 2022 5585-X – Last support: May 31, 2023 5525-X, 5545-X, 5555-X – Last date: September 30, 2025
Additionally, the company noted that it addresses a third important flaw (CVE-2025-20363, CVSS score: 8.5/9.0) in its IOS XR software web service that allows it to run XR software from Adaptive Security Appliance (ASA) software, Secure Firewall Threat Defense (FTD) software, IOS software, IOS XE software, and IOS XR software to run attackers.
“Attackers can exploit this vulnerability by obtaining additional information about the system, overcoming exploitation mitigation, and overcoming both,” he said, by sending clever HTTP requests to the target web service on the affected device. “A successful exploit allows an attacker to run arbitrary code as root, which could lead to a complete compromise on the affected device.”
Unlike CVE-2025-20362 and CVE-2025-20333, there is no evidence that vulnerability was exploited in the wild in a malicious context. Cisco said that its shortcomings were discovered by the Cisco Advanced Security Initiatives Group (ASIG) during the resolution of the Cisco TAC support case.
Canada’s Cybersecurity Centre is urging domestic organizations to counter the threat as quickly as possible by updating to fixed versions of Cisco ASA and FTD products.
In an advisory released on September 25, UK NCSC revealed that the attacks leveraged a multi-stage Bootkit called RayInitiator to deploy a user-mode shellcode loader known as a line viper on the ASA appliance.
RayInitiator is a permanent Grand Unified Bootloader (GRUB) BootKit that is flashed to victim devices while still able to survive reboots and firmware upgrades. You can run CLI commands, perform packet capture, bypass VPN authentication, bypass VPN authentication, grant authorization, load it into the accounting (AAA) of an actor device, suppress syslog messages, harvest user CLI commands, and force delayed restarts.
Bootkit accomplishes this by installing a handler inside a legal ASA binary called “lina” and running a line viper. Lina, short for Linux-based integrated network architecture, is operating system software that integrates the core firewall capabilities of the ASA.
Described as “comprehensive” than line dancers, Line Viper uses two methods for communicating with command and control (C2) servers. WebVPN client authentication sessions are used either over HTTPS or via ICMP with answers over RAW TCP. It is also designed to make many changes to “Lina” to keep you from leaving the forensic trail, preventing detection of CLI command modifications such as copying and validation.
“The deployment of line vipers via permanent boot kits and emphasis on defense avoidance technology demonstrates the refinement and improvements in operational security for the actors compared to the Arcanedoor campaign released in 2024,” the NCSC said.
Source link
