Type
Campaign
Actors
STORM-1849
Pub. date
September 26, 2025
Initial access
0-day vulnerability
Impact
Data exfiltration
Observed techniques
Vulnerability exploitation
Observed tools
RayInitiatorLINE VIPER
Targeted technologies
Cisco Adaptive Security Appliance (ASA)
References
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
Status
Finalized
Last edited
Sep 30, 2025 1:56 PM
Cisco has reported exploitation in the wild of two 0-day vulnerabilities affecting Cisco Adaptive Security Appliance (ASA), CVE-2025-20333 and CVE-2025-20362, allowing RCE and local privilege escalation, respectively. NCSC and CISA have corroborated these reports, noting the use of malware dubbed RayInitiator & LINE VIPER, and attributing the activity to the threat actor behind the ArcaneDoor campaign of early 2024. US federal agencies are required to remediate these vulnerabilities by September 26, 2025.