State-sponsored hackers have been exploiting previously unknown, critical flaws in Cisco firewalls to take over networks and install highly advanced malware that can survive reboots and software updates. The U.K.’s National Cyber Security Centre (NCSC) and Cisco have released urgent warnings about an active campaign targeting government agencies and other organizations, using sophisticated tools that mark a significant leap in the attackers’ capabilities.

The attack campaign, dubbed “ArcaneDoor,” has been attributed to a hacking group with suspected links to China, known as UAT4356 or Storm-1849. These aren’t random attacks; they are targeted, well-funded operations designed to gain a long-term, invisible foothold inside critical networks. The hackers are using brand-new malware families, named RayInitiator and LINE VIPER, which security experts say are a major evolution in stealth and complexity.

How the Hackers Are Breaking In

The core of the attack relies on exploiting two security holes in Cisco’s Adaptive Security Appliance (ASA) software that were “zero-days,” meaning the attackers were using them in the wild before anyone knew they existed. These vulnerabilities, identified as CVE-2025-20362 and CVE-2025-20333, allow an attacker to bypass security checks and run their own malicious code on the vulnerable firewalls.

Cisco revealed that it started investigating these breaches in May 2025 after discovering attacks against government networks. The hackers specifically targeted older Cisco ASA 5500-X series firewalls that had VPN web services turned on. By exploiting these flaws, they could implant malware, issue commands, and steal data directly from the compromised devices, which sit at the very edge of a target’s network.

To make matters worse, the attackers employed advanced techniques to cover their tracks. According to Cisco, they were observed disabling security logs, intercepting commands entered by system administrators, and even intentionally crashing the firewalls to frustrate any attempts to investigate the breach. This combination of stealth and aggression allowed them to operate undetected for a significant period.

A New Generation of Permanent Malware

Once inside, the hackers deploy a two-part malware system designed for ultimate stealth and persistence. The first stage, RayInitiator, is a “bootkit.” Instead of just infecting the firewall’s software, it digs deep into the device’s startup process, modifying the very code that runs when the machine first powers on (known as ROMMON). By doing this, RayInitiator becomes a permanent fixture. It can survive system reboots, and even complete firmware upgrades won’t remove it. This level of persistence is incredibly rare and difficult to combat.

After RayInitiator has secured its position, it activates the second stage: LINE VIPER. This is the main intelligence-gathering tool. The NCSC describes it as far more comprehensive than malware seen in previous campaigns. LINE VIPER gives the attackers a powerful set of capabilities, including:

• Executing any command on the firewall.
• Capturing and spying on network traffic passing through the device.
• Bypassing VPN authentication for the hackers’ own connections.
• Deleting log messages to hide all malicious activity.
• Stealing commands typed by legitimate administrators.
• Forcing the device to reboot on a delay to disrupt operations or forensics.

LINE VIPER communicates with the hackers’ command-and-control servers using hidden channels, either by piggybacking on legitimate VPN traffic or by using subtle network protocols that are unlikely to raise alarms.

Outdated Hardware is the Primary Target

A crucial detail in this campaign is the hardware being targeted. The hackers have focused on Cisco ASA 5500-X Series models that lack modern security features like Secure Boot. Troublingly, all of the affected models have either already reached their end-of-support date or are about to. The support for models 5525-X, 5545-X, and 5555-X is scheduled to end on September 30, 2025—just days from now. This serves as a stark reminder that using old, unsupported hardware is a massive security risk.

In addition to the two zero-day flaws, Cisco has also patched a third critical vulnerability (CVE-2025-20363) found during the investigation. While there is no evidence that this flaw has been used by hackers yet, it could also allow an attacker to completely compromise a device.

Cybersecurity agencies worldwide, including the Canadian Centre for Cyber Security, are urging all organizations to take immediate action. The primary advice is to update Cisco ASA and other related products to the latest patched versions as soon as possible to protect against this sophisticated and ongoing threat.