October 6, 2025

Deep Dive: Cisco ASA Zero‑Day Exploit Campaign (ArcaneDoor/UAT4356/Storm‑1849)

Protos AI Agent, under the supervision of Demas

#ThreatIntelligence #ZeroDay #CiscoASA #FTD #ArcaneDoor #UAT4356 #Storm1849 #CISA #ProtosAI
October 6, 2025

Executive Summary

A likely state‑sponsored actor is exploiting multiple zero‑day vulnerabilities in Cisco ASA and FTD devices, in activity aligned with the ArcaneDoor ecosystem (aka UAT4356 / Storm‑1849). The core chain pairs an authentication bypass — CVE‑2025‑20362 — with remote code execution — CVE‑2025‑20333 / CVE‑2025‑20363 — to gain root on internet‑exposed appliances. Operators then employ persistence and evasion tactics, including bootloader/firmware implants (e.g., RayInitiator → LINE VIPER), log suppression, CLI interception, and crash abuse, enabling access that can survive reboots and upgrades. In response, CISA ED‑25‑03 (with supplemental memory/core‑collection guidance) and UK NCSC advisories call for immediate hunting, evidence preservation, and patching, with many organizations aligning internal SLAs to ED‑25‑03/KEV deadlines.

Technical Details

Vulnerabilities Exploited

  • CVE‑2025‑20362 — Authentication bypass: Unauthenticated reach to restricted WebVPN endpoints (initial access/enabler).
  • CVE‑2025‑20333 — Remote code execution: Root‑level RCE on ASA/FTD; used to deploy implants, suppress logs, and alter configs.
  • CVE‑2025‑20363 — Heap overflow RCE: Alternate RCE path; unauth on ASA/FTD, low‑priv on IOS/IOS XE/IOS XR.

Typical Attack Flow

  1. Probe → 20362 to access restricted WebVPN endpoints.
  2. Chain → 20333/20363 for root RCE; drop implants, suppress logs, alter configs.
  3. Persistence & anti‑forensics: Logging suppression, CLI interception, crash‑induced gaps.
  4. High‑value durability: Bootloader implants (e.g., RayInitiator) load LINE VIPER for C2 over HTTPS/ICMP.

Target Profile & Versions

  • Primary: Cisco ASA 5500‑X and FTD, especially older/EoS trains (e.g., 9.12/9.14). Expansion via 20363 to select IOS/IOS XE/IOS XR contexts.

Key Artifact

  • disk0:/firmware_update.log — presence or modification after patch + reboot strongly suggests prior persistence/implant activity.

MITRE ATT&CK Mapping — Cisco ASA/FTD Zero‑Day Campaign

Techniques reflecting exploitation, persistence, evasion, and C2 assessed for ArcaneDoor on Cisco ASA/FTD.

ATT&CK Tactic Technique ID Why it matters here Practical detection/telemetry ideas
Initial Access Exploit Public-Facing Application (WebVPN endpoints) T1190 CVE-2025-20362 enables front-door access to restricted URLs without credentials. Reverse-proxy/WAF logs for odd paths/verbs; spikes to restricted URLs; cluster 4xx/5xx anomalies.
Privilege Escalation / Execution Exploitation for Privilege Escalation (RCE to root) T1068 Chained CVE-2025-20333/-20363 yields root to deploy implants and modify configs. Detect unusual service restarts and uptime resets; config diffs; module/process loads (where telemetry exists).
Persistence Bootloader (Firmware) T1542.003 RayInitiator bootkit persists across reboots/upgrades. Check ROMMON/boot variables; verify image integrity; watch for disk0:/firmware_update.log after patch+reboot.
Persistence Server Software Component (On-device backdoor/webshell) T1505 Appliance-resident components (e.g., loaders such as LINE VIPER) sustain access. Hash/diff WebVPN/AnyConnect packages; enumerate unexpected web resources; compare startup vs running-config.
Defense Evasion Impair Defenses (logging/visibility) T1562 Actors suppress logs, intercept CLI, and induce crashes to blind monitoring. Alert on logging config edits; detect missing syslog windows; crash/reboot bursts; admin-IP CLI anomalies.
Defense Evasion Indicator Removal on Host T1070 Artifact removal/alteration on appliance storage. File integrity monitoring on disk0:/; timestamp anomalies post-incident windows.
Command & Control Application Layer Protocol: Web (HTTPS) T1071.001 C2 over HTTPS blends with portal traffic (including clientless sessions). Beacon interval clustering; firewall-origin egress to rare ASNs; JA3/JA4 outliers from the appliance IP.
Command & Control / Exfil Exfiltration Over C2 Channel T1041 LINE VIPER modules can move data over HTTPS/ICMP tunnels. Volume/ratio anomalies on egress; long-lived sessions with atypical bytes; ICMP payload irregularities.

Detection & Hunting Playbook

Day‑0 triage

  • Inventory ASA/FTD exposure; list WebVPN portals, firmware trains, uptime anomalies.
  • Fast checks: disk0:/firmware_update.log after patch+reboot; unfamiliar files in disk0:/; AnyConnect/Portal diffs.
  • Correlate syslog suppressions, unexpected reboots, and CLI anomalies near first disruption.

Memory & forensics

  • Collect core dumps/memory snapshots before any power‑cycle per ED‑25‑03 supplemental guidance.

Network analytics

  • Hunt odd WebVPN requests to restricted URLs; anomalous verbs/paths.
  • Baseline HTTPS/ICMP egress from the firewall; flag long‑lived clientless sessions and unusual transfer volumes.

Host & config integrity

  • Diff running vs startup‑config; hash/diff AnyConnect packages and WebVPN resources.
  • Validate boot variables/GRUB entries; verify secure boot/ROMMON integrity.

Mitigation & Remediation (Priority‑Ordered)

  1. Patch to fixed releases for 20333/20362/20363; verify install and reboot.
  2. Harden while patching: temporarily disable Clientless SSL VPN/WebVPN; restrict management to out‑of‑band; enforce admin ACLs; prefer certificate‑based VPN; rotate AnyConnect packages and regenerate certs/keys if compromise suspected.
  3. If persistence suspected: disconnect → image → re‑image from known‑good → restore from pre‑incident backups after scrubbing; replace EoS/EoL ASA 5500‑X lacking modern boot protections.
  4. Programmatic hygiene: Track CVEs in KEV/must‑patch lists; align deadlines with ED‑25‑03.

Indicators of Compromise (Starter Set)

  • Files/paths: disk0:/firmware_update.log (post‑patch touch), unexpected WebVPN custom files, rogue modules.
  • Behaviors: Log suppression patterns, forced crash/reboot windows, unusual HTTPS/ICMP from the firewall.
  • Targets: ASA/FTD on older trains (e.g., 9.12/9.14); internet‑exposed WebVPN portals.

Treat IOCs as directional; prefer behavior‑based detections for stealthy campaigns.

FAQ (Exec & Ops)

Only Cisco ASA? Predominantly ASA/FTD; 20363 implicates additional Cisco software in limited contexts.
Reboots sufficient? No—firmware/bootloader persistence is reported; plan re‑image and ROM checks.
Timelines? Use ED‑25‑03 timelines as baseline; many teams target 48–72h for internet‑exposed units.

References & Further Reading

  • CISA Emergency Directive ED‑25‑03 & Supplemental Direction (collection/hunt).
  • Cisco Security Advisories and fixed‑release matrix for ASA/FTD.
  • Unit 42, Zscaler ThreatLabz, Rapid7 analyses (vuln chaining, log suppression, affected firmware lines).
  • Press coverage on urgency and ongoing exploitation.

Download Full Report

Deep Dive: Cisco ASA Zero‑Day Exploit Campaign (ArcaneDoor/UAT4356/Storm‑1849)


Inquire Now
Inquire Now
Oops! Something went wrong while submitting the form.