The U.K. National Cyber Security Centre (NCSC) has reported that recent security vulnerabilities affecting Cisco firewalls have been exploited in zero-day attacks, leading to the deployment of new malware families, specifically RayInitiator and LINE VIPER. The NCSC stated that these malware types show significant advancements in complexity and their ability to avoid detection.
Cisco initiated an investigation in May 2025 following attacks on multiple government agencies, which were connected to a state-sponsored campaign. This effort targeted Adaptive Security Appliance (ASA) 5500-X Series devices with the intent to introduce malware, execute commands, and potentially exfiltrate data from compromised systems. A thorough examination of the compromised device firmware revealed a memory corruption vulnerability within the Cisco Secure Firewall ASA Software.
The attackers exploited several zero-day vulnerabilities and utilized advanced evasion tactics, such as disabling logging and intercepting command-line interface (CLI) commands, to hinder diagnostic analysis. The campaign is believed to be linked to a threat cluster named ArcaneDoor, which has been associated with a suspected China-linked group known as UAT4356.
Notably, the attackers have modified the ROMMON (Read-Only Memory Monitor) of some devices to maintain persistence across reboots and software updates, with these alterations identified only on ASA 5500-X Series platforms lacking Secure Boot and Trust Anchor features.
Cisco confirmed that the compromised ASA models were running software versions 9.12 or 9.14 and have reached or are nearing end-of-support status. These include:
- 5512-X and 5515-X – Last Date of Support: August 31, 2022
- 5585-X – Last Date of Support: May 31, 2023
- 5525-X, 5545-X, and 5555-X – Last Date of Support: September 30, 2025
Additionally, Cisco has patched a third critical vulnerability that could allow remote attackers to execute arbitrary code. Although this vulnerability has not been confirmed as being exploited, it underscores the urgency for organizations to update their devices with the latest security fixes.
The NCSC’s advisory highlighted that attackers manipulated a multi-stage bootkit named RayInitiator to deploy LINE VIPER, a user-mode shellcode loader, onto ASA devices. RayInitiator can persist through system reboots and firmware updates, highlighting its capabilities to load additional malware components into memory and execute commands.
This increase in sophistication and the use of persistent bootkits showcases a notable evolution in how cyber actors manage their operations and evade detection, marking a worrying trend in the landscape of cyber threats.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.