Article

A state-backed espionage campaign linked to ArcaneDoor (Storm-1849) is exploiting two zero-day vulnerabilities, CVE-2025-20333 and CVE-2025-20362, in Cisco Adaptive Security Appliance (ASA) 5500-X and Firepower Threat Defense (FTD) devices. The attackers use RayInitiator, a GRUB bootkit, and LINEVIPER, a user-mode implant, to gain covert access, capture sensitive traffic, and bypass authentication controls.

Cisco, CISA, the Canadian Centre for Cyber Security, and NCSC have issued urgent warnings regarding active exploitation. The critical CVE-2025-20333 flaw allows authenticated attackers to execute arbitrary code, while CVE-2025-20362 grants unauthenticated access to restricted URLs.

Cisco has not yet released patches, prompting recommendations for restricting access and deploying intrusion detection measures. The campaign poses significant risks to national security and critical infrastructure, emphasizing the need for immediate containment and remediation efforts.