ArcaneDoor Hackers Renew Cisco Attacks with Stealthy Campaign

A newly discovered cyber-espionage campaign has successfully targeted Cisco Adaptive Security Appliance (ASA) firewalls, marking a significant resurgence of the sophisticated ArcaneDoor threat actor. This operation, which began in May 2025, leveraged multiple zero-day vulnerabilities to compromise specific models of Cisco’s perimeter defense systems. The primary objective was to implant malware, execute commands, and potentially steal sensitive data from infected devices.

Cisco’s investigation, initiated after alerts from multiple government agencies, determined with high confidence that this activity is connected to the same espionage-focused group responsible for the original ArcaneDoor campaign disclosed in early 2024. The attackers employed advanced evasion techniques, including disabling system logging, intercepting command line inputs, and deliberately crashing devices to obstruct forensic analysis. This sophisticated approach allowed them to maintain a stealthy presence on the network.

The campaign specifically exploited two critical vulnerabilities: CVE-2025-20333, which carries a severe CVSS score of 9.9, and CVE-2025-20362, rated at 6.5. A key finding from the investigation revealed that the threat actor modified the ROM Monitor (ROMMON) on compromised devices. This modification was designed to ensure persistence across reboots and software upgrades, a tactic that significantly complicates removal efforts.

Crucially, these successful compromises were only observed on older Cisco ASA 5500-X Series platforms that lack Secure Boot and Trust Anchor technologies. Models confirmed to be vulnerable include the 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, and 5585-X, many of which have already reached their end-of-support date. Newer models that incorporate these hardware-based security features, such as the 5506-X and 5516-X series, have not shown evidence of successful malware implantation or persistent modifications.

Security officials are urging immediate action. Ollie Whitehouse, CTO of the UK’s National Cyber Security Centre (NCSC), emphasized that “End-of-life technology presents a significant risk for organizations.” He strongly advised network defenders to adhere to Cisco’s remediation guidance and migrate from outdated systems to supported, modern versions to bolster their security posture.

Cisco has outlined a clear path for remediation. The recommended long-term solution is for customers to upgrade to a fixed software release that addresses the exploited vulnerabilities. As an immediate, temporary measure, organizations can disable all SSL/TLS-based VPN web services, including both IKEv2 client services and SSL VPN functionalities. For any device suspected of compromise, Cisco advises treating all its configuration elements as untrusted.

In response to the threat, the NCSC has released a joint advisory with international partners, providing in-depth analysis of the associated malware, identified as Line Dancer and Line Runner. Simultaneously, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive mandating federal agencies to inventory all Cisco ASA and Firepower devices, perform forensic analysis using CISA tools, disconnect end-of-support hardware, and promptly upgrade any devices remaining in service.

(Source: Info Security)