Ethical Hacking News
Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware: A Sophisticated Threat Vector has been identified by the U.K. National Cyber Security Centre (NCSC) and the Canadian Centre for Cyber Security. The threat vector exploits multiple zero-day vulnerabilities in Cisco ASA firmware, allowing malware families to persist on compromised devices.
Cisco ASA firewall products have been exploited by a highly sophisticated threat vector, deploying RayInitiator and LINE VIPER malware families. The malware can persist on devices, bypass authentication, and perform various malicious actions. Affected Cisco ASA firmware versions (9.12 or 9.14) lack Secure Boot and Trust Anchor technologies, making them vulnerable to attacks. Threat actors have exploited multiple zero-day vulnerabilities, including CVE-2025-20362 and CVE-2025-20333. Cisco has addressed a critical flaw in some products, but there is no evidence it's been exploited in the wild. The Canadian Centre for Cyber Security and NCSC have urged organizations to update their devices with latest firmware versions and patch security fixes. Organizations should implement robust incident response plans and monitor networks for signs of malicious activity.
Cisco Systems has revealed that a highly sophisticated threat vector has been deployed against its ASA firewall products, exploiting multiple zero-day vulnerabilities to deliver the RayInitiator and LINE VIPER malware families. The vulnerability was discovered by Cisco's Advanced Security Initiatives Group (ASIG) as part of the resolution of a Cisco TAC support case.
The RayInitiator malware is a persistent GRand Unified Bootloader (GRUB) bootkit that is capable of surviving reboots and firmware upgrades, allowing it to persist on the compromised device. Once booted, LINE VIPER loads into memory and executes a user-mode shellcode loader. The LINE VIPER malware can run CLI commands, perform packet captures, bypass VPN Authentication, Authorization, and Accounting (AAA) for actor devices, suppress syslog messages, harvest user CLI commands, and force a delayed reboot.
The deployment of LINE VIPER via a persistent bootkit demonstrates an increase in threat actor sophistication and improvement in operational security compared to previous campaigns. The NCSC attributes the attack to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849), but it is worth noting that no conclusive evidence has been provided at this time.
Cisco ASA firmware versions 9.12 or 9.14, which lack Secure Boot and Trust Anchor technologies, are particularly vulnerable to these attacks. The affected devices have reached end-of-support status by next week for certain models, making them a prime target for threat actors.
Threat actors have exploited CVE-2025-20362 (CVSS score: 6.5) and CVE-2025-20333 (CVSS score: 9.9) to bypass authentication and execute malicious code on susceptible appliances. In some cases, the threat actor has modified ROMMON to facilitate persistence across reboots and software upgrades.
Cisco has addressed a third critical flaw in the web services of Adaptive Security Appliance (ASA) Software, Secure Firewall Threat Defense (FTD) Software, IOS Software, IOS XE Software, and IOS XR Software that could allow an attacker to execute arbitrary code on an affected device. However, unlike CVE-2025-20362 and CVE-2025-20333, there is no evidence that this vulnerability has been exploited in the wild.
The Canadian Centre for Cyber Security has urged organizations in Canada to take action as soon as possible to counter this threat by updating to a fixed version of Cisco ASA and FTD products. The U.K. National Cyber Security Centre (NCSC) has also released an advisory, emphasizing that attackers have leveraged a multi-stage bootkit called RayInitiator to deploy LINE VIPER.
The deployment of LINE VIPER via a persistent bootkit represents a significant evolution in the sophistication and capabilities of the malware families used in previous campaigns. The use of advanced evasion techniques and defense evasion strategies makes this threat vector particularly concerning for organizations that rely on Cisco ASA firewalls for network security.
To mitigate these threats, it is essential to ensure that all affected devices are upgraded to the latest firmware versions and patched with the latest security fixes as soon as possible. Organizations should also take proactive measures to monitor their networks for any signs of malicious activity and implement robust incident response plans in case of a breach.
Related Information:
https://www.ethicalhackingnews.com/articles/Cisco-ASA-Firewall-Zero-Day-Exploits-Deploy-RayInitiator-and-LINE-VIPER-Malware-A-Sophisticated-Threat-Vector-ehn.shtml
https://thehackernews.com/2025/09/cisco-asa-firewall-zero-day-exploits.html
https://nvd.nist.gov/vuln/detail/CVE-2025-20362
https://www.cvedetails.com/cve/CVE-2025-20362/
https://nvd.nist.gov/vuln/detail/CVE-2025-20333
https://www.cvedetails.com/cve/CVE-2025-20333/
Published: Fri Sep 26 08:34:34 2025 by llama3.2 3B Q4_K_M
