Ongoing campaign exploiting vulnerabilities in Cisco VPN devices
An attacker attributed to ArcaneDoor campaign has exploited CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363 to install a sophisticated bootkit for persistent stealthy access to affected devices.
Cisco, working alongside the National Cyber Security Centre (NCSC) and the Cybersecurity and Infrastructure Security Agency (CISA), has identified a state-sponsored threat actor linked to the ArcaneDoor campaign.
This group is actively exploiting vulnerabilities (CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363) in Cisco ASA devices that are either end-of-life or nearing it—particularly the 5500-X Series appliances.
The attackers used a bootkit called “RayInitiator” to establish persistent access through GRUB, which then deploys “LINE VIPER.” This malware enables arbitrary code execution, runs Cisco CLI commands, bypasses VPN Authentication, Authorization, and Accounting (AAA) controls for attacker devices, and facilitates data exfiltration. More technical details are available in NCSC’s advisory and malware analysis.
Because SSL VPNs, firewalls, and other edge devices are inherently exposed to the internet, they remain high-value targets. The number of disclosed vulnerabilities affecting these systems continues to grow each year, and attackers are increasingly quick to exploit them—often as zero-days or soon after disclosure. The NHS England National CSOC assesses that this trend is highly likely to continue.
Organisations are strongly advised to follow NCSC guidance on vulnerability management, including adopting a “patch by default” approach and applying updates to edge devices immediately when critical vulnerabilities are identified.
- CVE-2025-20333 is a “buffer copy without checking size of input” vulnerability with a CVSSv3 score of 9.9. Successful exploitation could allow an authenticated, remote attacker to execute arbitrary code on an affected device.
- CVE-2025-20362 is a “missing authorisation” vulnerability with a CVSSv3 score of 6.5. Successful exploitation could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication that should otherwise be inaccessible without authentication.
- CVE-2025-20363 is a “heap-based buffer overflow” vulnerability with a CVSSv3 score of 9.0. Successful exploitation could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device.
Please follow the steps here to detect and patch and read the below links for further information.
NCSC Advisory – https://www.ncsc.gov.uk/news/persistent-malicious-targeting-cisco-devices
NCSC Malware Analysis – https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf
Cisco – https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.