A newly sophisticated cyber threat campaign targeting Cisco devices in recent weeks has sent shockwaves through the cybersecurity industry. Now referred to as the ArcaneDoor threat cluster, this operation takes advantage of two key vulnerabilities in Cisco devices, specifically CVE-2025-20362 and CVE-2025-20333. The cyber espionage campaign is primarily carried out by a suspected China-linked hacking group called UAT4356, alternatively known as Storm-1849. They’re employing increasingly sophisticated methods to circumvent authentication protections and run harmful code.
The vulnerabilities abused in this campaign have very high CVSS scores of 6.5 and 9.9, respectively. Attackers capitalize on these weaknesses to compromise connected devices that provide little security. Their access gives them the power to deploy yet more potent malware. The National Cyber Security Centre (NCSC) and Cisco have released emergency advisories regarding the dangers posed by this campaign. They underscored how sophisticated these attackers’ methods have become and how dangerous their techniques are.
ArcaneDoor’s Advanced Malware Arsenal
At the forefront of this campaign are two significant pieces of malware: RayInitiator and LINE VIPER. RayInitiator functions as a permanent GRand Unified Bootloader (GRUB) bootkit. Once flashed onto victim devices, it not only survives reboots but survives full firmware upgrades. Its prevalence means that attackers can keep a longer-term hand on the wheel of compromised devices, further increasing their operational power.
LINE VIPER further rounds out RayInitiator by acting as an in-memory malware, which is loaded once the malware is activated. This malware is a jack of all trades. Its capabilities extend to executing Command Line Interface (CLI) commands, capturing network packets, and circumventing VPN Authentication, Authorization and Accounting (AAA) protocols on target devices.
“The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in sophistication and its ability to evade detection,” – NCSC
LINE VIPER employs sophisticated techniques to suppress indicator system logs and record target users’ CLI commands. It can cause delayed reboots on infected devices. The malware communicates with its command-and-control (C2) server using two methods: WebVPN client authentication sessions over HTTPS or via Internet Control Message Protocol (ICMP), with responses sent over raw TCP. This two-pronged communication gives the malware unmatched stealth and effectiveness.
The Implications of Exploiting Vulnerabilities
If vulnerabilities are exploited in Cisco devices, it creates significant danger not only to The Defenders organizations but to those dependent on these systems for security. According to Cisco, “Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis.”
The vulnerabilities exploited by ArcaneDoor enable attackers to send specially crafted HTTP requests to web services hosted on affected devices. They can collect sensitive information on their target environments. This information allows them to work around the exploit mitigations established by device makers.
“An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both,” – Cisco
The consequences of these attacks go well beyond immediate device compromise. They undermine the very core of network security for enterprises that depend on Cisco ASA products. These devices are immensely important in securing sensitive data and maintaining continuity of operations.
Evolving Techniques and Increased Sophistication
The ArcaneDoor threat campaign is a prime example of an evolution in cyberattack methodologies. The introduction of persistent bootkits such as RayInitiator is an indication of a clear jump in actor sophistication. The release of LINE VIPER in step with these tools highlights this crucial trend toward adopting more sophisticated evasion tactics.
The NCSC’s analysis provides reassurance that operational security is better than it was in earlier campaigns. This silver lining on the surface foreshadows some troubling realities for the cybersecurity community. “The deployment of LINE VIPER via a persistent bootkit, combined with a greater emphasis on defence evasion techniques, demonstrates an increase in actor sophistication and improvement in operational security compared to the ArcaneDoor campaign publicly documented in 2024,” the NCSC reported.
For any organizations that utilize Cisco devices in their infrastructure, this is a reminder to remain vigilant. They need to ensure that their systems are maintained, with necessary security patches applied to reduce risk from such vulnerabilities.