Cisco ASA Zero Day Under Active Exploitation CISA Orders Emergency Mitigations RayInitiator and LINE VIPER Detected

Cisco has confirmed active exploitation of multiple vulnerabilities in the VPN/web services of Cisco Secure Firewall (ASA) and FTD. Threat actors chained a missing-authorization flaw with a separate web-service buffer overflow to achieve remote code execution and deploy persistent tooling. Government partners and national CERTs have supported the investigation and issued mitigations; CISA has published Emergency Directive ED 25-03 and added the exploited CVEs to its KEV catalog. 

CVE-2025-20333(9.9) is a buffer-overflow RCE in the ASA/FTD VPN web server that requires valid VPN or web credentials, making it an authenticated remote code execution flaw. In the observed campaign, attackers combined it with CVE-2025-20362 — a missing-authorization vulnerability — to abuse restricted endpoints. This chaining produced effective unauthenticated exploitation in practice, but it is important to emphasize that CVE-2025-20333 itself remains an authenticated flaw and should be treated as such for triage and exposure assessments. 

CVE-2025-20362(6.5) is a missing-authorization vulnerability in the same web service family that allows access to restricted endpoints. It has been actively exploited in the wild and was a key enabler in the chaining attack observed. 

CVE-2025-20363(9.0) is another web-services RCE affecting ASA/FTD as well as several IOS platforms. Cisco and other sources currently report differing CVSS values for this issue, so organizations should verify the authoritative CNA/NVD score before using it in severity assessments or publishing internal/external tables. 

Operators in this campaign have deployed multi-stage tooling, including a boot-stage implant dubbed RayInitiator and a user-mode shellcode loader referred to as LINE VIPER. The UK NCSC reports that RayInitiator specifically targets ASA 5500-X series devices that do not implement Secure Boot or Trust Anchor. The models observed in attacks are either end-of-support or nearing end-of-support, and NCSC recommends replacement of these devices where possible. Importantly, ROM/ROMMON tampering has been observed only on 5500-X units lacking secure boot protections. 

After compromise, attackers have exhibited behaviors aimed at both persistence and anti-forensics. These include disabling or suppressing logging, intercepting or hooking CLI commands, and deliberately triggering crashes to obstruct investigation. Additionally, they bypass VPN AAA mechanisms, establish covert C2 channels via WebVPN sessions or abnormal ICMP/raw TCP responses, and maintain persistence across reboots on susceptible platforms. 

What you should do 

Identify exposure & isolate at-risk appliances immediately 

• Inventory all ASA/FTD devices, VPN/web services enabled, OS versions, and whether devices support Secure Boot/Trust Anchor. Prioritize ASA 5500-X devices running legacy/EoS images that lack Secure Boot. 
• Where feasible, remove Internet exposure to management/VPN portals, restrict access to allow-listed admin IPs, and place devices behind compensating controls (ACLs, WAF, jump hosts).

Patch and implement vendor/CISA mitigations on an emergency basis 

• Apply Cisco’s fixed releases for CVE-2025-20333(9.9) and CVE-2025-20362(6.5) as a priority; address CVE-2025-20363(9.0) per Cisco advisories where relevant. If you cannot patch immediately, implement Cisco-recommended temporary mitigations. 
• Follow the CISA Emergency Directive ED 25-03 for federal agency requirements — consult the directive text and supplemental instructions for exact reporting and evidence collection steps rather than relying on paraphrased deadlines. 

Hunt for compromise and ROM/boot integrity (pre- and post-patch) 

• Look for disabled or truncated logging, anomalous crashes/reboots, CLI interception indicators, and unusual WebVPN session activity or ICMP/raw TCP channels. 
• Validate boot integrity on ASA 5500-X units: verify ROMMON/bootloader hashes against vendor-trusted images. Where ROMMON/boot media tampering is found, rebuild from trusted media or replace hardware. NCSC observed ROM/boot modifications on 5500-X devices without Secure Boot. 
• Hash-compare core binaries (e.g., lina) against trusted images and capture forensic images/core dumps per CISA supplemental guidance when crashes or suspicious behavior occur. 

Containment & recovery 

• If compromise suspected: isolate the device from networks, collect forensic artifacts, engage Cisco TAC/IR, rotate all device credentials and keys that transited the device, and consider hardware replacement if boot-stage persistence is confirmed. Verify Secure Boot/Trust Anchor before returning devices to service. 

Hardening & monitoring 

• Disable unused web/VPN services, segregate management on out-of-band networks, forward immutable logs to protected SIEM, and create detections for ROM/boot integrity drift, ASA binary tampering, stealthy CLI hooks, and anomalous WebVPN/ICMP behaviors

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.