Threat Signal Report

ArcaneDoor Attack (Cisco ASA Zero-Day)

What is the Attack?

Cisco has disclosed a state-sponsored espionage campaign targeting Cisco Adaptive Security Appliances (ASA), which are widely deployed for firewall, VPN, and security functions.

Initial Advisory (April 24): Attackers exploited two previously unknown zero-day vulnerabilities in ASA devices to infiltrate government entities worldwide.
Malware Deployed: The intrusions involved two custom backdoors, “Line Runner” and “Line Dancer”, which worked in tandem to:
- Alter device configurations
- Conduct reconnaissance
- Capture and exfiltrate network traffic
- Enable potential lateral movement across victim networks
Update (September 25, 2025): Cisco observed new malicious activity specifically targeting ASA 5500-X Series appliances. To address this, it released patches for three newly assigned vulnerabilities:
- CVE-2025-20333
- CVE-2025-20362
- CVE-2025-20363

This campaign highlights a sustained effort by sophisticated adversaries to weaponize zero-day flaws in widely deployed Cisco security appliances, with the goal of espionage and long-term persistence.

What is the recommended Mitigation?

According to Cisco's advisory, the initial attack vector remains unidentified; two vulnerabilities (CVE-2024-20353 and CVE-2024-20359) have been pinpointed.
Customers are strongly urged to adhere to the instructions outlined in the Cisco security advisory: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_attacks_event_response
Follow CISA Emergency directive: ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices | CISA

What FortiGuard Coverage is available?

FortiGuard IPS Service is available to detect and block exploit attempts relating to the ArcaneDoor Attacks.
Intrusion Prevention | FortiGuard Labs
Intrusion Prevention | FortiGuard Labs
FortiGuard Web Filtering Service protects against malicious URLs, domains, IPs, and other attacker-controlled infrastructure associated with this campaign, as identified in Cisco’s advisory.
FortiAnalyzer, FortiSIEM, and FortiSOAR leverage known Indicators of Compromise (IoCs) delivered through the Indicators of Compromise (IoC) Service to enhance threat hunting, detection, and automated response- strengthening investigation workflows and correlation against related threat activity. FortiGuard Labs continues to monitor for newly emerging IoCs to ensure proactive protection.
Meanwhile, FortiGuard Labs strongly recommends users apply patches as provided by Cisco's Product Security Incident Response Team (PSIRT).
Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

Outbreak Alert

Critical zero-day vulnerabilities affecting Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) software have been actively exploited in the wild. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks.

View the full Outbreak Alert Report