ArcaneDoor Attack (Cisco ASA Zero-Day)

What is the Attack?

Cisco has disclosed a state-sponsored espionage campaign targeting Cisco Adaptive Security Appliances (ASA) , which are widely deployed for firewall, VPN, and security functions.

• Initial Advisory (April 24): Attackers exploited two previously unknown zero-day vulnerabilities in ASA devices to infiltrate government entities worldwide.

• Malware Deployed: The intrusions involved two custom backdoors, “Line Runner” and “Line Dancer” , which worked in tandem to:

  • Alter device configurations

  • Conduct reconnaissance

  • Capture and exfiltrate network traffic

  • Enable potential lateral movement across victim networks

• Update (September 25, 2025): Cisco observed new malicious activity specifically targeting ASA 5500-X Series appliances. To address this, it released patches for three newly assigned vulnerabilities:

  • CVE-2025-20333

  • CVE-2025-20362

  • CVE-2025-20363

This campaign highlights a sustained effort by sophisticated adversaries to weaponize zero-day flaws in widely deployed Cisco security appliances, with the goal of espionage and long-term persistence.

What is the recommended Mitigation?

• According to Cisco’s advisory, the initial attack vector remains unidentified; two vulnerabilities (CVE-2024-20353 and CVE-2024-20359) have been pinpointed.

• Customers are strongly urged to adhere to the instructions outlined in the Cisco security advisory: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response

• Follow CISA Emergency directive: ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices | CISA

What FortiGuard Coverage is available?

• FortiGuard IPS Service is available to detect and block exploit attempts relating to the ArcaneDoor Attacks.
  Intrusion Prevention | FortiGuard Labs
  Intrusion Prevention | FortiGuard Labs

• FortiGuard Web Filtering Service protects against malicious URLs, domains, IPs, and other attacker-controlled infrastructure associated with this campaign, as identified in Cisco’s advisory.

• FortiAnalyzer, FortiSIEM, and FortiSOAR leverage known Indicators of Compromise (IoCs) delivered through the Indicators of Compromise (IoC) Service to enhance threat hunting, detection, and automated response- strengthening investigation workflows and correlation against related threat activity. FortiGuard Labs continues to monitor for newly emerging IoCs to ensure proactive protection.

• Meanwhile, FortiGuard Labs strongly recommends users apply patches as provided by Cisco’s Product Security Incident Response Team (PSIRT).

• Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.