Do you know that just a single security flaw can threaten significant networks? The Cybersecurity and Infrastructure Security Agency (CISA) just instructed U.S. government organizations to fix vulnerabilities in Cisco firewall products that hackers are already using. This is a hurry - they expect corrective actions will happen promptly.
They also deploy new malware known as Line Dancer (which loads malicious code in memory) and Line Runner (a backdoor) in order to maintain control over the infected devices.
If you are a network owner, attention: hackers are quick, and one device fingerprinted by a security update could lead to disaster for you.
What are the affected Cisco appliances?
Cisco ASA and Firepower Threat Defense (FTD) appliances are affected by vulnerabilities. Two of the vulnerabilities, CVE-2025-20333 and CVE-2025-20362, could allow attackers to:- Remotely execute code on the device with no authentication
- Persist malicious code in device memory so that it executes on reboot or upgrades of the device
Mechanism of the attacks
Hackers are focusing on specific devices that have unsecured boot settings. They make use of malware such as LINE VIPER and a bootkit named RayInitiator to:- Gain control of the devices
- Run commands to steal information
- Remain on the device even after restarting it
The ArcaneDoor campaign
The ArcaneDoor campaign is the name of these attacks, which has been going on since November of 2023. The attackers are also said to be associated with a group called UAT4356, and they have taken advantage of flaws present in previous versions to breach networks around the world.They also deploy new malware known as Line Dancer (which loads malicious code in memory) and Line Runner (a backdoor) in order to maintain control over the infected devices.
What agencies should do now
According to CISA agencies must:- Review each Cisco ASA/firepower device
- Document evidence of a device being hacked
- Isolate hacked devices and remediate as soon as possible
- Remove deprecated/un-supported devices
Important points
This must be seen as a serious warning: as many of you know, trusted collectors of devices as Cisco firewalls are hackable. Cybersecurity is never optional. Networks require immediate patching, consistent monitoring and defense-in-depth.If you are a network owner, attention: hackers are quick, and one device fingerprinted by a security update could lead to disaster for you.
