A newly identified cyber-attack campaign has exploited Cisco Adaptive Security Appliance (ASA) devices in a sophisticated operation linked to the espionage-focused ArcaneDoor threat actor.
The attacks targeted certain Cisco ASA 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled.
Cisco has assessed with high confidence that this new activity is related to the same threat actor as the ArcaneDoor attack campaign that Cisco reported in early 2024.
ArcaneDoor has been linked to espionage-focused campaigns targeting perimeter network devices as intrusion points.
The aim of the latest attack campaign was to implant malware, execute commands and potentially exfiltrate data from the compromised devices.
This conclusion comes following an investigation by the global network infrastructure vendor which began after multiple government agencies engaged the firm in May 2025.
Cisco said attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques, such as disabling logging, intercepting command line interface (CLI) commands and intentionally crashing devices to prevent diagnostic analysis.
The evidence collected during the investigation strongly indicates that CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5) were used by the attacker in the current attack campaign.
The company also noted that during the analysis of compromised devices it observed the threat actor modifying ROM Monitor (ROMMON) to allow for persistence across reboots and software upgrades.
These modifications have been observed only on Cisco ASA 5500-X Series platforms that were released prior to the development of Secure Boot and Trust Anchor technologies, Cisco said.
“No CVE will be assigned to the lack of Secure Boot and Trust Anchor technology support on these platforms. Cisco has not observed successful compromise, malware implantation, or the existence of a persistence mechanism on platforms that support Secure Boot and Trust Anchors,” the company added in its update.
Cisco ASA Models Successfully Compromised
In its evaluation, Cisco identified a number of ASA 5500-X Series models that are running Cisco ASA Software releases 9.12 or 9.14 with VPN web services enabled had been observed to be successfully compromised in the ArcaneDoor campaign.
These models do not support Secure Boot and Trust Anchor technologies. They are:
- 5512-X and 5515-X – Last Date of Support: August 31, 2022
- 5525-X, 5545-X, and 5555-X – Last Date of Support: September 30, 2025
- 5585-X – Last Date of Support: May 31, 2023
The following Cisco ASA 5500-X Series models, as well as all Cisco Firepower and Cisco Secure Firewall models, support Secure Boot and Trust Anchors:
- 5505-X, 5506H-X, 5506W-X, 5508-X, and 5516-X – Last Date of Support: August 31, 2026
The company noted that while no successful exploitation of these vulnerabilities and no modifications of ROMMON have been observed on these models, they are included in the report due to the impending end of support.
Organizations Urged to Remediate
This latest campaign is another example of state-sponsored actors targeting perimeter network. As a critical path for data into and out of the network, such devices need to be routinely and promptly patched.
Commenting on the latest update from Cisco, the UK’s National Cyber Security Center’s CTO, Ollie Whitehouse, said: “It is critical for organizations to take note of the recommended actions highlighted by Cisco today, particularly on detection and remediation. We strongly encourage network defenders to follow vendor best practices and engage with the NCSC’s malware analysis report to assist with their investigations.”
Cisco has provided detailed guidance on remediation efforts companies can take. Customers are advised to upgrade to an appropriate fixed software release which the firm lists in its guidance.
Remediation recommendations include customers upgrading to a fixed release to resolve the vulnerabilities and prevent subsequent exploitation. Cisco considers this a long-term solution.
A temporary solution to the vulnerabilities is to disable all SSL/TLS-based VPN web services. This includes disabling IKEv2 client services that facilitate the update of client endpoint software and profiles as well as disabling all SSL VPN services.
In cases of suspected or confirmed compromise on any Cisco firewall device, all configuration elements of the device should be considered untrusted, the company outlined.
Whitehouse commented, “End-of-life technology presents a significant risk for organizations. Systems and devices should be promptly migrated to modern versions to address vulnerabilities and strengthen resilience.”
To assist with detection of the activity and mitigation, the NCSC has also issued a joint advisory with international partners and published two reports which share detailed analysis of malware, dubbed Line Dancer and Line Runner, related to the malicious activity.
The US Cybersecurity and Infrastructure Security Agency (CISA) also issued an Emergency Directive which listed required actions which apply to agency assets in any federal information system.
CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices and upgrade devices that will remain in service.
