State-Backed Espionage Campaign Exploits Cisco Firewalls via Zero-Day Vulnerabilities
A state-backed espionage campaign associated with ArcaneDoor is exploiting two zero-day vulnerabilities in Cisco's Adaptive Security Appliance and Firepower Threat Defense devices, enabling attackers to gain covert access and capture sensitive information. Cisco, CISA, and other security agencies have issued urgent warnings, as the vulnerabilities allow for arbitrary code execution and unauthenticated access to restricted URLs. With no patches available yet, experts recommend restricting access and enhancing intrusion detection measures to mitigate risks to national security and critical infrastructure.
Theia Market Signal Identification - AI Assisted
A state-backed espionage campaign linked to ArcaneDoor (Storm-1849) is exploiting two zero-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, in Cisco Adaptive Security Appliance (ASA) 5500-X and Firepower Threat Defense (FTD) devices. The attackers use RayInitiator, a GRUB bootkit, and LINEVIPER, a user-mode implant, to gain covert access, capture sensitive traffic, and bypass authentication controls.
Cisco, CISA, the Canadian Centre for Cyber Security, and NCSC have issued urgent warnings regarding active exploitation. The critical CVE-2025-20333 flaw allows authenticated attackers to execute arbitrary code, while CVE-2025-20362 grants unauthenticated access to restricted URLs.
Cisco has not yet released patches, prompting recommendations for restricting access and deploying intrusion detection measures. The campaign poses significant risks to national security and critical infrastructure, emphasizing the need for immediate containment and remediation efforts.
Comments