ArcaneDoor, a state-backed cluster, is actively exploiting multiple Cisco ASA/FTD zero-day vulnerabilities and deploying firmware-level implants to achieve long-term, persistent access to network edge devices, marking a strategic evolution in cyber espionage tradecraft.

CYBER INSIGHTS CYBER INSIGHTS OCT 06, 2025 OCT 06, 2025

Overview

ArcaneDoor, a state-level actor cluster, is now directly observed exploiting Cisco ASA/FTD vulnerabilities, including CVE-2025-20363, in live operations. What began as reconnaissance and mass scanning has escalated into weaponized exploitation with custom malware implants designed to persist through reboots and upgrades. Attackers are actively using compromised appliances as durable footholds on the network edge, enabling both covert access and long-term espionage. The tradecraft documented in intrusions includes token harvesting, unauthenticated probing of VPN portals, disabling or tampering with logging, intentionally crashing devices to obstruct forensics, and modifying ROMMON/bootloader to ensure persistence. These techniques suggest an intention to maintain durable control rather than achieve short-lived disruption. Targeting edge devices grants adversaries privileged visibility into VPN sessions, management planes, and internal networks, making them exceptionally valuable for surveillance and staging further intrusions. This campaign underscores the evolution of the threat from simple exploitation to advanced persistence and attribution to state-backed operators.

Key Findings

  • ArcaneDoor, a state-level threat actor, is now confirmed to be exploiting Cisco ASA/FTD vulnerabilities, including CVE-2025-20363, in live operations.
  • Attackers have deployed firmware-level implants that persist through reboots and upgrades, signaling advanced tradecraft and long-term espionage objectives.
  • Observed tactics include token harvesting, log tampering, forced device crashes, and modifications to the ROMMON/bootloader to obstruct forensics and maintain persistence.
  • All three vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) are now confirmed to be in active use, significantly increasing the operational risk profile.
  • Immediate Actions: Upgrade all Cisco ASA/FTD devices to the latest patched versions and disconnect unsupported hardware immediately. Conduct forensic reviews for persistence, focusing on ROMMON integrity, unexplained device crashes, and signs of disabled logging.

1.0 Threat Overview

1.1 Historical Context

The exploitation of Cisco ASA/FTD vulnerabilities represents not an isolated incident but a continuation of a broader trend: the systematic reconnaissance and targeting of Cisco edge appliances by advanced adversaries. For years, Cisco firewalls and VPN gateways have been high-value targets because they sit at the perimeter, manage encrypted traffic, and offer privileged access into enterprise networks. Adversaries have routinely probed these devices for misconfigurations, default credentials, and unpatched software flaws. What has shifted with the recent campaign is the move from opportunistic exploitation to deliberate, state-backed intrusion efforts designed to achieve persistence and long-term espionage objectives.

ArcaneDoor, a state-aligned threat actor cluster also tracked as UAT4356 / Storm-1849, was first identified by Cisco Talos and external partners during investigations into earlier ASA intrusions. Attribution stems from a combination of factors: the use of novel firmware-level implants not previously observed in criminal operations, infrastructure overlaps across campaigns, and tradecraft consistent with long-term, resource-backed intelligence collection rather than monetization. Cisco assessed with high confidence that the same operators were responsible for the April 2024 ArcaneDoor campaign, which deployed custom malware frameworks (e.g., Line Dancer and Line Runner) on ASA devices. The reappearance of nearly identical techniques—log tampering, ROMMON manipulation, persistence through reboots—now linked to exploitation of CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363 confirms continuity of actor involvement.

These findings demonstrate that ArcaneDoor is not conducting opportunistic exploitation but rather a strategic, ongoing campaign against Cisco perimeter devices. The timeline of reconnaissance, zero-day exploitation, and firmware-level persistence reflects state objectives: durable access, covert surveillance of VPN sessions, and a staging point for future operations. This progression highlights a clear escalation from scanning and probing to fully weaponized exploitation linked to a known advanced actor.

1.2 Technique Breakdown

ArcaneDoor’s exploitation of the ASA/FTD vulnerabilities is not limited to straightforward proof-of-concept requests against a web service; operators are chaining web-facing flaws into interactive, hands-on intrusions that culminate in firmware-level implants and persistent edge footholds. They combine automated discovery with tailored exploitation, rapid credential/token harvesting, and post-exploit hardening steps that defeat many standard remediation workflows.

These technique elements together show a deliberate escalation from network-scale discovery to surgical, long-term control of perimeter devices. Detection and containment require validating boot integrity and firmware, not just patching software; remediation must account for potential ROMMON/boot modifications and necessitate full appliance rebuilds when compromise is confirmed.

Attack Chain Methodology
Initial Unauthenticated Reach
Stage 1
Operators send crafted HTTP(S) requests that usually require authentication to access restricted endpoints. This stage is used to elicit application behavior, fingerprint server-side logic, expose tokens/cookies, or session metadata, and sometimes to trigger session leakage or predictable error responses that can be used for next-stage actions.
Associated CVEs
CVE-2025-20362
Attack Objectives
Elicit application behavior and fingerprint server-side logic
Expose tokens, cookies, or session metadata
Trigger session leakage or predictable error responses
Gather intelligence for next-stage exploitation
Reconnaissance HTTP(S) Crafting Endpoint Mapping Session Leakage
Token Harvesting and Session Pivot
Stage 2
When initial requests expose session tokens or cookies (or enable session fixation), operators replay or pivot those tokens to gain an authenticated context against the VPN portal without valid credentials. Harvested tokens are abused to enumerate connected users and session state, enabling targeted access to active VPN tunnels.
Attack Techniques
Token replay and session pivoting to establish authenticated context without valid credentials.
Attack Objectives
Replay or pivot exposed session tokens and cookies
Gain authenticated context without valid credentials
Enumerate connected users and session state
Target active VPN tunnels for unauthorized access
Token Harvesting Session Fixation Token Replay Session Pivot
Authenticated or Direct RCE
Stage 3
With a valid VPN context (or via the unauthenticated RCE vector), exploit payloads are delivered that execute commands on the appliance as root. Payloads are staged to avoid obvious disk artifacts: command sequences, staged shellcode in memory, or compact native binaries executed from temp/process memory.
Associated CVEs
CVE-2025-20333 CVE-2025-20363
Evasion Techniques
Payloads staged in memory to avoid disk artifacts - command sequences, shellcode, or compact native binaries executed from temporary or process memory.
Critical Impact
Root-level command execution on VPN appliance enabling full system compromise.
RCE Root Execution Memory Staging Shellcode
Firmware/ROMMON Manipulation for Persistence
Stage 4
Rather than rely solely on scheduled jobs, attackers modify boot components (ROMMON or bootloader), inject custom firmware modules, or alter startup scripts so implants survive reboots and nominal software upgrades. These changes are accompanied by integrity tampering to hide modifications from basic validation checks.
Persistence Mechanisms
Boot component modification, firmware injection, and startup script alteration with integrity tampering to evade detection.
Persistence Objectives
Modify boot components (ROMMON or bootloader)
Inject custom firmware modules
Alter startup scripts for implant survival
Tamper with integrity checks to hide modifications
Long-Term Impact
Implants survive reboots and software upgrades, establishing deep, persistent access that evades standard remediation.
ROMMON Bootloader Firmware Injection Integrity Tampering

1.3 Affected Systems

Cisco Products Vulnerability Impact
Cisco Secure Firewall Adaptive Security Appliance (ASA)
Physical & Virtual (ASAv)
Affected Versions
Vulnerable ASA software releases where webvpn/AnyConnect or VPN web services are enabled (pre-fix releases prior to vendor First Fixed).
Security Impact
Primary attack surface for CVE-2025-20362/20333; internet-facing portals enable unauthenticated reconnaissance, token harvesting, and RCE chains.
Critical Exposure
Internet-facing VPN portals represent the primary attack surface for multi-stage exploitation chains.
ASA Physical ASAv Virtual WebVPN AnyConnect CVE-2025-20362 CVE-2025-20333 RCE Chain
Cisco Secure Firepower Threat Defense (FTD)
Next-Generation Firewall Platform
Affected Versions
Vulnerable FTD releases with webvpn/remote-access VPN enabled.
Security Impact
Common in modern deployments, successful exploitation can lead to full appliance takeover and lateral pivoting into internal networks.
Deployment Context
Widely deployed in modern enterprise environments as next-generation firewall platform.
Lateral Movement Risk
Appliance compromise enables attackers to pivot into protected internal networks, bypassing perimeter security controls.
FTD Remote Access VPN Appliance Takeover Lateral Movement
Cisco ASA Firmware on Firepower Series
Firepower 2100 / 4100 / 9300 Series
Affected Versions
ASA firmware images on these Firepower chassis when VPN/web services present and not updated to fixed builds.
Security Impact
High-throughput perimeter hardware: compromise yields broad visibility of VPN sessions and elevated access to management plane.
Hardware Context
Enterprise-grade high-throughput platforms deployed at network perimeter for critical security functions.
Management Plane Access
Compromise of these high-capacity platforms provides attackers with extensive VPN session visibility and privileged management plane access.
Firepower 2100 Firepower 4100 Firepower 9300 VPN Services Session Visibility Management Access
Cisco IOS / IOS XE / IOS XR
Router Operating Systems
Affected Versions
Web services components in affected IOS variants (pre-fix releases).
Security Impact
Expands risk to routing platforms; provides an additional unauthenticated RCE path on some devices.
Expanded Attack Surface
Vulnerability extends beyond firewall appliances to core routing infrastructure platforms.
Infrastructure Risk
Routing platform compromise enables network-wide traffic manipulation and comprehensive infrastructure control.
IOS IOS XE IOS XR Web Services CVE-2025-20363 Unauthenticated RCE

2.0 Threat Actor Utilization

ArcaneDoor and closely affiliated operators are the primary actors observed in confirmed intrusions that leverage the Cisco ASA/FTD vulnerabilities. These operators combine automated internet scanning with deliberate, hands-on exploitation: they move quickly from unauthenticated endpoint probing to token harvesting, weaponized exploit chains that trigger remote code execution, and firmware/bootloader implantation for long-term persistence. Opportunistic criminal groups and lower-sophistication affiliates have also been seen reusing publicly released exploit code to attempt quick wins (credential theft, temporary access, or ransomware staging), but the most consequential activity—ROMMON modification, log tampering, and sustained interception of VPN sessions—tracks to ArcaneDoor-level tradecraft and intent.

Threat Actor Attribution & Tactical Analysis
ArcaneDoor
State-Aligned Cluster
Technique Applied
Multi-stage exploitation chain: 1) Reconnaissance of AnyConnect/WebVPN portals; 2) Token/session harvesting; 3) Chaining CVE-2025-20362 → CVE-2025-20333/20363 for RCE; 4) Firmware/ROMMON implant for persistence; 5) Log tampering and forced device crashes.
Attack Sequence
AnyConnect/WebVPN portal reconnaissance
Token and session harvesting operations
CVE chain exploitation for RCE
Firmware/ROMMON implant deployment
Log tampering and device crash manipulation
Reported Evidence
Hands-on intrusions with custom implants, modified ROMMON, deliberate crash events, and disabled logging — consistent with long-term espionage operations.
Sophistication Assessment
Advanced persistent threat demonstrating deep technical capabilities, custom tooling development, and operational security consistent with state-sponsored espionage campaigns.
Multi-Stage Custom Implants ROMMON Modification Log Tampering Espionage
ArcaneDoor-Affiliated Operator Teams
Affiliated Operators
Technique Applied
Rapid weaponization of exploit chains; memory-resident loaders; lateral credential and data harvesting operations.
Operational Characteristics
Rapid exploit weaponization post-disclosure
Memory-resident loader deployment
Lateral credential harvesting
Targeted data collection operations
Reported Evidence
Observed burst exploitation activity after vulnerability disclosure; linked to reconnaissance logs and credential artifacts indicating coordinated operations.
Operational Pattern
Coordinated burst activity following vulnerability disclosure suggests organized operator teams with established infrastructure and shared tooling.
Rapid Weaponization Memory Resident Credential Harvesting Data Collection
Opportunistic Criminal Groups
eCrime Affiliates
Technique Applied
Mass scanning campaigns, exploit reuse from public sources, commodity malware payload deployment.
Criminal TTPs
High-volume mass scanning operations
Public exploit code reuse
Commodity malware deployment
Short-lived intrusion cycles
Reported Evidence
High-volume, low-sophistication activity patterns; short-lived intrusions aimed at monetization through ransomware deployment or initial access resale.
Monetization Focus
Opportunistic exploitation focused on rapid monetization rather than persistent access - typical of commodity ransomware operators and access brokers.
Mass Scanning Commodity Malware Ransomware Access Resale
Firmware-Persistence Specialists
Technical Specialists
Technique Applied
ROMMON/bootloader tampering; firmware image modification; persistence mechanisms designed to survive system upgrades.
Specialized Capabilities
ROMMON and bootloader modification
Firmware image tampering
Upgrade-resistant persistence mechanisms
Integrity check evasion techniques
Reported Evidence
Forensic analysis reveals non-standard firmware signatures and implants persisting after nominal software upgrades, indicating deep firmware-level compromise.
Technical Sophistication
Advanced firmware manipulation capabilities requiring deep hardware and low-level software expertise - consistent with specialized development teams.
ROMMON Bootloader Firmware Modification Upgrade Survival

3.0 Historical Exploit Timeline

The exploitation of Cisco ASA and FTD vulnerabilities has rapidly evolved over the past several weeks, shifting from reconnaissance to confirmed weaponization by state-backed actors. What began as mass scanning of VPN portals has escalated into chained exploitation, remote code execution, and firmware-level persistence attributed to ArcaneDoor. Tracking the timeline of these developments highlights not only the speed at which attackers adapted but also the increasing sophistication of their tradecraft, underscoring why immediate patching and thorough forensics are essential.

Incident Timeline
Early–Mid September 2025
Reconnaissance Phase
Automated reconnaissance and fingerprinting activity observed against internet-facing AnyConnect/WebVPN endpoints in the weeks prior to disclosure.
Operational Impact
Increased attacker awareness of reachable targets; enabled rapid exploitation once proof-of-concepts surfaced.
Mass Scanning Fingerprinting Target Enumeration AnyConnect WebVPN
2025-09-25
Public Disclosure
Cisco released security advisories and patched builds for ASA/FTD products; exploitation attempts already observed in the wild.
Disclosed Vulnerabilities
CVE-2025-20333 CVE-2025-20362
Operational Impact
Immediate patching imperative; exposed vulnerability window for unpatched devices as exploitation details became public.
Cisco Advisory Patch Release ASA/FTD
2025-09-25 → 2025-09-29
Active Exploitation
Rapid shift from scanning to active exploitation: unauthenticated probes, token harvesting operations, and VPN context acquisition observed across multiple targets.
Operational Impact
Extremely short timeframe for attackers to pivot from vulnerability discovery to hands-on intrusion activity.
Rapid Weaponization
Four-day window from disclosure to widespread exploitation demonstrates pre-positioning and rapid weaponization capabilities.
Unauthenticated Probes Token Harvesting Session Hijacking
2025-09-29
Exploitation Confirmed
Additional Cisco RCE vulnerability moved from "high risk" to confirmed exploitation status; forensic evidence linked exploitation to advanced firmware implant deployment.
Confirmed Exploited
CVE-2025-20363
Operational Impact
Attack surface doubled: multiple remote code execution vectors weaponized and actively exploited in coordinated campaigns.
Expanded Attack Surface
Multiple RCE vectors provide attackers with redundant exploitation paths and increased likelihood of successful compromise.
RCE Firmware Implants IOS Variants
Late Sept – Early Oct 2025
Attribution
Confirmed cases demonstrate ArcaneDoor tradecraft: exploit chaining → remote code execution → firmware implants, with crash and log tampering operations.
Operational Impact
Attribution demonstrates targeted, long-term espionage objectives consistent with state-sponsored threat actor operations.
State-Sponsored Activity
ArcaneDoor attribution indicates sophisticated, well-resourced threat actor with strategic intelligence collection objectives.
ArcaneDoor State-Sponsored Exploit Chaining Log Tampering
Late Sept – Early Oct 2025
Persistence Established
Implants discovered surviving software upgrades and system reboots via modified ROMMON and firmware image manipulation.
Operational Impact
Elevated recovery costs: full system rebuilds or hardware replacement may be required to ensure complete remediation.
Deep Persistence
Firmware-level compromise survives standard remediation procedures, requiring extensive recovery operations and potential hardware replacement.
ROMMON Firmware Modification Upgrade Survival
Ongoing
Opportunistic Activity
Criminal actors reusing publicly available exploits at scale; short-lived access attempts focused on rapid monetization.
Operational Impact
Increased scanning noise and credential theft risk, though lower persistence rates achieved compared to targeted operations.
Mass Exploitation Commodity Tools Ransomware Access Brokers
Current
Response & Mandates
CISA directives and vendor guidance accelerate patching and investigation requirements for affected organizations.
Operational Impact
Time-boxed remediation windows with regulatory compliance requirements; significant exposure risk if mandated deadlines are missed.
Regulatory Requirements
Federal agencies and critical infrastructure operators subject to mandatory patching timelines and incident reporting obligations.
CISA Directive Mandatory Patching Compliance

4.0 Risk and Impact

The active exploitation of CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363 now presents a critical operational and strategic risk. With ArcaneDoor and affiliated actors confirmed to be deploying firmware-level implants, these flaws no longer represent short-term access vectors but enable long-term, covert persistence at the network edge. Exploitation allows full device takeover, interception of VPN traffic, disabling of logging, and resilience against standard remediation efforts, giving adversaries deep visibility into internal networks. Organizations should treat unexplained device crashes, disabled logging, abnormal VPN session behavior, or unauthorized ROMMON/bootloader changes as potential indicators of compromise.

5.0 Recommendations for Mitigation

5.1 Apply Cisco Fixed Software Updates

  • Ensure all ASA/FTD appliances are upgraded to the patched builds released on September 25, 2025. Use Cisco’s Software Checker to confirm your environment is on the “First Fixed” release.
  • Disconnect unsupported or end-of-life ASA hardware (e.g., 5500-X series past September 30, 2025) as these devices cannot be secured.
  • After the upgrade, perform a ROMMON/firmware hash validation to ensure that patched systems have not inherited persistence implants during the patching process.

5.2 Audit for Firmware Persistence

  • Conduct integrity checks of ROMMON and bootloader code to ensure attackers have not modified persistent components.
  • Validate secure boot states and ensure the chain of trust from hardware to software remains intact. Compare current device firmware against trusted gold images stored offline.
  • Run memory forensics on ASA/FTD images post-upgrade to detect hidden implants or modified runtime modules.

5.3 Harden VPN/Web Portals

  • Restrict VPN/WebVPN service exposure using IP allowlisting, geofencing, or dedicated jump networks.
  • Relocate administrative interfaces off public internet where feasible; ensure they exist only on segmented management networks. Disable WebVPN features if not strictly required, and enforce encrypted management channels only.
  • Implement TLS inspection and certificate pinning for VPN portals to prevent adversaries from inserting malicious certificates or spoofing trusted endpoints.

5.4 Limit Attack Surface in Edge Devices

  • Identify and disable unneeded ASA/FTD features such as outdated SSL modules, unused VPN services, or redundant client support modules.
  • Remove unnecessary plug-ins and scripts, reducing exploitable surface area. Implement strict ACLs on interfaces to filter unnecessary inbound/outbound traffic at the edge.
  • Deploy out-of-band firewalls or internal segmentation gateways to isolate ASA/FTD appliances from critical systems in case of compromise.

5.5 Conduct Forensic Validation After Updates

  • After patching, forward device logs to external, append-only repositories to prevent tampering.
  • Rotate all administrative and VPN credentials, including certificates and API keys associated with the device. Review device configurations for unauthorized changes, disabled logging, or hidden accounts.
  • Run differential configuration analysis across multiple snapshots to identify subtle backdoor entries or hidden commands injected by attackers.

6.0 Hunter Insights

ArcaneDoor’s confirmed exploitation of Cisco ASA/FTD 0-day vulnerabilities indicates that threat actors are moving toward persistent, firmware-level compromise of network edge devices, using advanced implants that survive reboots and upgrades. In the near future, this trend will likely escalate, with state-backed and criminal groups increasingly adopting similar techniques to maintain durable control, enabling covert surveillance of VPN sessions and deeper access into enterprise environments.

As remediation becomes more complex—requiring not just patching but full forensic validation of firmware and ROMMON integrity—organizations should expect an increase in targeted campaigns against edge infrastructure, broader pivoting into internal networks, and potential copycat attacks that leverage public exploit code or reverse-engineered tradecraft. The shift toward long-term persistence and overt sabotage of device integrity highlights the need for continuous device integrity monitoring and aggressive segmentation of critical management networks to contain future intrusions.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.