Pierluigi Paganini
September 26, 2025
The U.K. NCSC reported that threat actors exploited recently disclosed Cisco firewall flaws (CVE-2025-20362, CVE-2025-20333) in zero-day attacks to deploy novel malware families, RayInitiator and LINE VIPER. These malware mark a major evolution from earlier campaigns, featuring greater sophistication and advanced evasion capabilities.
“It is critical for organisations to take note of the recommended actions highlighted by Cisco today, particularly on detection and remediation. We strongly encourage network defenders to follow vendor best practices and engage with the NCSC’s malware analysis report to assist with their investigations.” NCSC Chief Technology Officer, Ollie Whitehouse said. “End-of-life technology presents a significant risk for organisations. Systems and devices should be promptly migrated to modern versions to address vulnerabilities and strengthen resilience.””
RayInitiator is a persistent, multi-stage GRUB bootkit flashed to Cisco ASA 5500-X devices (many out of support) that survives reboots and firmware upgrades. RayInitiator is used to load the user-mode loader LINE VIPER into memory.
LINE VIPER receives commands either through WebVPN client authentication or by special network packets. It uses unique tokens and RSA keys per victim to secure commands and stolen data. Once active, it can run device commands, capture network traffic, bypass authentication controls, hide log messages, record CLI input, and trigger delayed reboots.
“RayInitiator is a persistent multi-stage bootkit which facilitates the deployment of LINE VIPER to Cisco ASA (Adaptive Security Appliance) 5500-X series devices without secure boot.” reads the advisory. “LINE VIPER is a user-mode shellcode loader with associated modules”
“All observed targeted models have either passed their last day of support, or the last date is September 30, 2025”
In May 2025, Cisco investigated attacks on several government agencies tied to a state-backed campaign. Hackers targeted ASA 5500-X firewalls with VPN services to implant malware, run commands, and steal data. Cisco’s analysis of infected firmware exposed a memory corruption flaw in ASA software.
“In May 2025, Cisco was engaged by multiple government agencies that provide incident response services to government organizations to support the investigation of attacks that were targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.” reads the Cisco’s advisory.
The attackers chained multiple zero-days, disabled logging, and intercepted CLI commands. Then state-sponsored hackers crashed devices to block forensic checks, showing advanced evasion and persistence methods. The networking giant linked the intrusion to the ArcaneDoor hacking campaign.
“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis. The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco’s engineering and security teams.” continues the company’s advisory.
“Cisco assesses with high confidence that this new activity is related to the same threat actor as the ArcaneDoor attack campaign that Cisco reported in early 2024.”
Cisco researchers also found that attackers modified ROMMON on older ASA 5500-X devices without Secure Boot or Trust Anchor to persist after reboots. Newer platforms with these protections showed no signs of compromise or persistence.
Cisco stated that the campaign targeted ASA 5500-X models (9.12/9.14) with VPN web services, but lacked Secure Boot/Trust Anchor. Affected end-of-support devices include 5512-X, 5515-X, 5585-X, and 5525/5545/5555-X (EoS Sept 30, 2025). Cisco also patched CVE-2025-20363 (CVSS 8.5/9.0), a critical web services flaw in ASA, FTD, IOS, IOS XE, and IOS XR that could enable remote code execution.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISCO)
Malware / September 26, 2025
