The U.K. NCSC and Cisco warn that a state-linked campaign exploited recently disclosed Cisco firewall flaws in zero-day attacks to deploy two novel implants, RayInitiator and LINE VIPER, against government and enterprise targets. Cisco began investigating attacks in May 2025 after multiple Adaptive Security Appliance (ASA) 5500-X devices with VPN/WebVPN services were observed implanting malware, executing commands, and, in some cases, exfiltrating data.
Researchers say attackers chained zero-day bugs, CVE-2025-20362 (authentication bypass) and CVE-2025-20333 (remote code execution), and in many intrusions modified ROMMON on older ASA models that lack Secure Boot and Trust Anchor to achieve firmware-level persistence. RayInitiator is described as a multi-stage GRUB bootkit that survives reboots and firmware upgrades and loads the user-mode loader LINE VIPER. LINE VIPER can run CLI commands, capture traffic, bypass VPN AAA controls, suppress syslog entries, harvest CLI input, and communicate with C2 over WebVPN HTTPS sessions or ICMP with per-victim encryption.
Affected hardware includes 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, and 5585-X running ASA 9.12 or 9.14, many of which are at or near end-of-support (final EoS dates through Sept 30, 2025). Cisco has issued patches for these flaws and a third critical issue, CVE-2025-20363, and authorities, including CISA, have mandated urgent mitigations for federal agencies.
Security teams are urged to inventory ASA/FTD devices, apply updates immediately, follow CISA/NCSC guidance, and assume compromise when anomalous device behavior appears; organisations should also accelerate migration to supported platforms and consider zero-trust architectures to reduce exposure of internet-facing perimeter appliances.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
