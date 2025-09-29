Attacks exploiting the Cisco Adaptive Security Appliance zero-days CVE-2025-20362 and CVE-2025-20333 were noted by the UK's National Cyber Security Centre to have deployed the newly emergent RayInitiator and LINE VIPER malware strains as part of a more sophisticated and clandestine campaign, Security Affairs reports. Injection of the persistent multi-stage RayInitiator bootkit in Cisco ASA 5500-X firewalls without secure boot, primarily those that have reached end-of-life, would then be followed by the retrieval of the LINE VIPER malware, which leverages unique tokens and RSA keys for data exfiltration, network traffic capturing, authentication control evasion, and deferred reboots, according to the NCSC. "All observed targeted models have either passed their last day of support, or the last date is September 30, 2025," said the NCSC, which called for the prompt adherence to recommendations provided by Cisco. Such a development comes after intrusions involving both flaws were associated with the ArcaneDoor attack campaign over a year ago.
NCSC: Novel payloads delivered using Cisco firewall zero-days
(Adobe Stock)
