CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

First reported
Last updated
4 unique sources, 16 articles

Summary

Hide ▲

The **Firestarter malware**, a custom backdoor linked to the **UAT-4356** threat actor (associated with the **ArcaneDoor campaign**), continues to persist on **Cisco Firepower and Secure Firewall devices** running ASA or FTD software **even after firmware updates and security patches**. CISA and the U.K. NCSC confirmed that the malware enables **remote access and control** by threat actors, with persistence mechanisms that survive reboots and patching. The adversary initially exploited **CVE-2025-20333** (missing authorization) and **CVE-2025-20362** (buffer overflow) to deploy **Line Viper**—a user-mode shellcode loader used to extract credentials and configuration details—before installing Firestarter for long-term access. CISA’s updated **Emergency Directive 25-03** now requires Federal Civilian Executive Branch (FCEB) agencies to **identify vulnerable Firepower and Secure Firewall devices**, collect forensic evidence, and apply vendor-provided mitigations. Over **30,000 devices remain exposed globally**, despite prior patching efforts, with some organizations **incorrectly applying updates** and leaving systems vulnerable. Cisco’s advisory details Firestarter’s persistence via **LINA process hooking**, modification of boot files (e.g., `CSP_MOUNT_LIST`), and memory-resident shellcode triggered by crafted WebVPN requests. Mitigation requires **device reimaging** or, as a last resort, a **cold restart** (with risks of corruption). Administrators are urged to verify compromises using the command `show kernel process | include lina_cs`. The campaign reflects a broader trend of **multi-platform exploitation**, with UAT-4356 also linked to zero-day attacks on **Citrix Bleed 2 (CVE-2025-5777)** and **Cisco ISE (CVE-2025-20337)**, deploying custom malware like **‘IdentityAuditAction’** for persistence. The indiscriminate yet sophisticated targeting suggests a **highly resourced actor** with access to advanced tools or non-public vulnerability intelligence.

Timeline

  1. 23.04.2026 15:00 2 articles · 2d ago

    CISA publishes FIRESTARTER malware analysis and updates Emergency Directive 25-03

    CISA published a **malware analysis report** on **FIRESTARTER**, a custom backdoor targeting Cisco Firepower and Secure Firewall products running ASA or FTD software. The report, co-authored with the **U.K. National Cyber Security Centre (NCSC-UK)**, confirms that FIRESTARTER enables **remote access and control** by threat actors and **persists across reboots, firmware updates, and security patches**—rendering standard patching insufficient. **New technical details** reveal FIRESTARTER hooks into **LINA**, the core Cisco ASA process, using **signal handlers** to trigger reinstallation routines. It modifies the **CSP_MOUNT_LIST boot file** to ensure execution on startup, stores a copy of itself in `/opt/cisco/platform/logs/var/log/svc_samcore.log`, and restores the binary to `/usr/bin/lina_cs`. The backdoor injects shellcode into memory via a modified **XML handler**, with execution triggered by **crafted WebVPN requests** containing hardcoded identifiers. CISA updated **Emergency Directive 25-03** to mandate FCEB agencies **identify vulnerable Firepower and Secure Firewall devices**, collect forensic data, and apply mitigations. Cisco’s advisory recommends **reimaging compromised devices** or, as a last resort, performing a **cold restart** (with risks of corruption). Administrators can detect compromises using the command `show kernel process | include lina_cs`. The report assesses that an **APT actor (UAT-4356)**, linked to the **ArcaneDoor campaign**, exploited **CVE-2025-20333** and **CVE-2025-20362** to deploy FIRESTARTER. The malware’s persistence mechanisms underscore the need for **manual forensic analysis** beyond patching, with CISA urging all organizations to verify mitigations and report findings.

    Show sources
    Open in new tab
  2. 12.11.2025 16:00 2 articles · 5mo ago

    Threat actor exploits Citrix Bleed 2 and Cisco ISE zero-days pre-disclosure

    An advanced threat actor exploited **CVE-2025-5777 (Citrix Bleed 2)** in NetScaler ADC and Gateway and **CVE-2025-20337** in Cisco Identity Service Engine (ISE) as zero-days prior to public disclosure. Amazon’s threat intelligence team detected the activity via their MadPot honeypot service, observing exploitation attempts for CVE-2025-5777 before its disclosure in late June 2025. The same actor leveraged CVE-2025-20337—a critical deserialization flaw in Cisco ISE—to deploy a custom web shell named **‘IdentityAuditAction’**, disguised as a legitimate ISE component. The web shell functioned as an **HTTP listener**, used **Java reflection to inject into Tomcat server threads**, and employed **DES encryption with non-standard base64 encoding** to evade detection. Access required knowledge of specific HTTP headers, and the malware left minimal forensic traces. While the tactics demonstrate **advanced knowledge of Java/Tomcat internals and Cisco ISE architecture**, the targeting appeared indiscriminate, which is unusual for highly targeted APT operations. Amazon shared its findings with Cisco, prompting further investigation into the zero-day exploitation. The vulnerabilities allow unauthenticated attackers to **store malicious files, execute arbitrary code, or gain root privileges** on vulnerable devices. This development links the threat actor to a broader set of zero-day exploits beyond the previously reported Cisco ASA/FTD vulnerabilities, suggesting a **multi-platform campaign** with evolving tactics. Organizations are urged to apply security updates for both CVE-2025-5777 and CVE-2025-20337 and restrict access to edge network devices. Amazon’s latest report confirms the threat actor’s use of **custom-built malware** targeting Cisco ISE environments, employing advanced techniques such as in-memory operation, Tomcat thread injection, and non-standard encryption. The campaign’s indiscriminate nature, combined with the exploitation of multiple zero-days, suggests a highly capable adversary with access to sophisticated tools and potentially non-public vulnerability intelligence.

    Show sources
    Open in new tab
  3. 07.11.2025 17:44 1 articles · 5mo ago

    Cisco warns of new attack variant causing DoS conditions

    Cisco warned that vulnerabilities CVE-2025-20362 and CVE-2025-20333 are now being exploited to force ASA and FTD firewalls into reboot loops. Shadowserver is currently tracking over 34,000 internet-exposed ASA and FTD instances vulnerable to CVE-2025-20333 and CVE-2025-20362 attacks, down from nearly 50,000 unpatched firewalls in September. Cisco disclosed new vulnerabilities in certain Cisco ASA 5500-X devices running Cisco Secure Firewall ASA software with VPN web services enabled, discovered in collaboration with several government agencies. Cisco attributed these attacks to the same state-sponsored group behind the 2024 ArcaneDoor campaign and urged customers to apply the available software fixes. On November 5, 2025, Cisco became aware of a new attack variant targeting devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases affected by the same vulnerabilities, causing unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions.

    Show sources
    Open in new tab
  4. 26.09.2025 08:51 2 articles · 7mo ago

    ArcaneDoor campaign deploys RayInitiator and LINE VIPER malware

    The U.K. National Cyber Security Centre (NCSC) confirmed the exploitation of Cisco ASA zero-day vulnerabilities to deliver RayInitiator and LINE VIPER malware. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.

    Show sources
    Open in new tab
  5. 25.09.2025 22:22 3 articles · 7mo ago

    Cisco discloses additional zero-day vulnerability in SNMP subsystem

    Cisco disclosed an additional zero-day vulnerability (CVE-2025-20352) affecting the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE. This flaw allows authenticated remote code execution and denial of service (DoS) attacks, affecting at least 2 million devices. Cisco strongly urges customers to update to a fixed version or implement mitigations immediately.

    Show sources
    Open in new tab
  6. 25.09.2025 20:52 5 articles · 7mo ago

    CISA orders agencies to patch Cisco flaws exploited in ArcaneDoor campaign

    CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks.

    Show sources
    Open in new tab
  7. 25.09.2025 19:49 8 articles · 7mo ago

    Cisco acknowledges exploitation of vulnerabilities and issues patches

    Cisco credited security researcher Jahmel Harris for discovering and reporting the vulnerabilities. Cisco addressed two critical security flaws in Unified Contact Center Express (Unified CCX) that could permit an unauthenticated, remote attacker to upload arbitrary files, bypass authentication, execute arbitrary commands, and elevate privileges to root. Cisco has shipped patches for a high-severity DoS bug (CVE-2025-20343) in Identity Services Engine (ISE) that could allow an unauthenticated, remote attacker to cause a susceptible device to restart unexpectedly. Cisco released security updates to patch critical security flaws in its Contact Center software, which could enable attackers to bypass authentication (CVE-2025-20358) and execute commands with root privileges (CVE-2025-20354).

    Show sources
    Open in new tab
  8. 25.09.2025 15:00 13 articles · 7mo ago

    CISA issues Emergency Directive 25-03 for Cisco ASA zero-day vulnerabilities

    The article confirms the ongoing exploitation of multiple zero-day vulnerabilities in Cisco ASA and Firewall Threat Defense (FTD) software. Nearly 50,000 Cisco ASA and FTD appliances were initially vulnerable to actively exploited flaws, with Shadowserver tracking over 48,800 internet-exposed instances in late September. The vulnerabilities **CVE-2025-20333** and **CVE-2025-20362** enable arbitrary code execution and access to restricted URL endpoints, with exploitation linked to the **ArcaneDoor campaign**. CISA’s **Emergency Directive 25-03**, issued on September 25, 2025, mandated federal agencies to identify and upgrade vulnerable devices within 24 hours, disconnect end-of-support systems, and apply minimum software versions. The directive also introduced the **RayDetect scanner** to detect RayInitiator malware in ASA core dumps. **New development:** CISA has now **updated Emergency Directive 25-03** to address the discovery of **FIRESTARTER malware**, which can persist on compromised Cisco ASA devices **even after firmware patching**. The updated directive requires FCEB agencies to **identify specified Firepower and Secure Firewall devices**, collect forensic data, and apply new vendor-provided updates. CISA confirmed that **some organizations incorrectly applied updates** for CVE-2025-20333 and CVE-2025-20362, leaving devices marked as patched but still vulnerable. Shadowserver’s latest data shows **over 30,000 devices remain exposed globally**, down from 45,000 in early October. The vulnerabilities have been exploited to force ASA and FTD firewalls into reboot loops, with the ArcaneDoor campaign deploying advanced malware (**RayInitiator**, **LINE VIPER**, and now **FIRESTARTER**) and manipulating ROM for persistence. CISA and the U.K. NCSC co-authored a **malware analysis report** on FIRESTARTER, detailing its persistence mechanisms, detection methods, and recommended mitigations. The report assesses that an **APT actor** exploited CVE-2025-20333 and CVE-2025-20362 to deploy FIRESTARTER, underscoring the need for organizations to **verify correct patch application** and conduct forensic analysis to ensure full mitigation.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active exploitation of Citrix NetScaler ADC/Gateway memory disclosure vulnerability (CVE-2026-3055)

A critical out-of-bounds read vulnerability in Citrix NetScaler ADC and NetScaler Gateway, tracked as CVE-2026-3055, is being actively exploited in the wild to leak sensitive information and extract administrative session IDs from appliance memory, enabling potential full appliance takeover. Citrix disclosed the flaw on March 23, 2026, alongside a high-severity race condition flaw, affecting versions before 14.1-60.58, 13.1-62.23, and those older than 13.1-37.262. The vulnerability requires appliances to be configured as SAML Identity Providers and impacts only customer-managed systems. Exploitation was confirmed via honeypot networks on March 27, with attackers leveraging both /saml/login and /wsfed/passive endpoints to trigger memory overread conditions. Security researchers criticize Citrix’s disclosure as incomplete and provide tools to detect vulnerable hosts. On March 30, 2026, CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities (KEV) Catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to patch vulnerable Citrix appliances by April 2, 2026 under BOD 22-01. CISA warned the flaw poses significant risks to the federal enterprise and urged all organizations to prioritize patching. Shadowserver reports nearly 30,000 exposed NetScaler ADC appliances and over 2,300 exposed Gateway instances online.

Open in new tab

Active exploitation of F5 BIG-IP RCE vulnerability CVE-2025-53521

CVE-2025-53521, initially disclosed as a DoS flaw in October 2025, has been reclassified as a critical RCE vulnerability (CVSS 9.8) following new exploitation activity in March 2026. Threat actors are actively exploiting the flaw by sending malicious traffic to virtual servers configured with BIG-IP AMP or systems in appliance mode to deploy webshells and other payloads. F5 has confirmed exploitation in the wild and published IOCs, while CISA added the flaw to its KEV catalog on March 28, 2026, mandating federal remediation within three days. Multiple actors are probing F5 infrastructure, with observed payload deviations and scanning targeting REST API endpoints. Shadowserver tracks over 240,000 exposed BIG-IP instances, and the NCSC has urged immediate patching in the UK due to confirmed exploitation activity. The flaw affects BIG-IP APM versions 15.1.0–15.1.10, 16.1.0–16.1.6, 17.1.0–17.1.2, and 17.5.0–17.5.1. Fixed versions (15.1.10.8, 16.1.6.1, 17.1.3, 17.5.1.3) are available, and F5 recommends forensic best practices including system rebuilding due to potential persistent malware in UCS backups.

Open in new tab

Microsoft Intune administrative control weaknesses exploited in Stryker breach leading to mass device wipes

A pro-Palestinian hacktivist group named Handala (also tracked as Handala Hack Team, Hatef, or Hamsa) compromised Microsoft Intune administrative controls at Stryker Corporation, a U.S.-based medical technology firm, on March 11, 2026. The attackers created a new Global Administrator account after breaching an existing administrator credential, stole approximately 50 terabytes of data, and executed device wipes across nearly 80,000 systems via Intune’s built-in wipe command. The incident follows Microsoft’s hardening guidance for Intune published days after the breach, which CISA subsequently mandated for all U.S. organizations to mitigate similar risks. The attack highlights the risks of excessive administrative privileges and insufficient privileged access hygiene in cloud-based endpoint management platforms.

Open in new tab

Cisco SD-WAN Zero-Day Exploited by Highly Sophisticated Threat Actor

A critical zero-day vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller and Manager is being actively exploited by a sophisticated threat actor, tracked as UAT-8616. The flaw allows unauthenticated remote attackers to bypass authentication and gain administrative privileges. The exploitation dates back to 2023, and Cisco has credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The vulnerability has a CVSS score of 10.0, indicating maximum severity. Cisco is actively tracking the exploitation and post-compromise activities associated with this flaw. The threat actor is described as highly sophisticated, and the exploitation has been ongoing for some time.

Open in new tab

AI-Assisted Hacker Breaches 600 FortiGate Firewalls in 5 Weeks

A Russian-speaking, financially motivated hacker used generative AI services to breach over 600 FortiGate firewalls across 55 countries in five weeks. The campaign, which occurred between January 11 and February 18, 2026, targeted exposed management interfaces and weak credentials lacking MFA protection. The attacker used AI to automate access to other devices on breached networks, extracting sensitive configuration data and conducting reconnaissance. The attacker successfully compromised multiple organizations' Active Directory environments, extracted complete credential databases, and targeted backup infrastructure, likely in a lead-up to ransomware deployment. The threat actor used the CyberStrikeAI AI-powered security testing platform, which integrates over 100 security tools and allows for end-to-end automation of attacks. The developer of CyberStrikeAI, known as "Ed1s0nZ," has links to Chinese government-affiliated cyber operations and has worked on additional AI-assisted security tools. Team Cymru detected 21 unique IP addresses running CyberStrikeAI between January 20 and February 26, 2026, primarily hosted in China, Singapore, and Hong Kong. Additional servers related to CyberStrikeAI have been detected in the U.S., Japan, and Switzerland. The developer has interacted with organizations supporting potentially Chinese government state-sponsored cyber operations, including Knownsec 404, a Chinese security vendor with ties to the Chinese Ministry of State Security (MSS). Ed1s0nZ has removed references to a CNNVD Level 2 Contribution Award from their GitHub profile. The campaign targeted healthcare, government, and managed service providers. The attackers exploited vulnerabilities CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. The attackers created a new local administrator account named "support" and set up four new firewall policies allowing unrestricted access. The attackers periodically checked device accessibility, consistent with initial access broker (IAB) behavior. The attackers extracted configuration files containing encrypted service account LDAP credentials. The attackers authenticated to the AD using clear text credentials from the fortidcagent service account. The attackers enrolled rogue workstations in the AD, allowing deeper access. The attackers deployed remote access tools like Pulseway and MeshAgent. The attackers downloaded malware from a cloud storage bucket via PowerShell from AWS infrastructure. The Java malware was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an external server (172.67.196[.]232) over port 443.

Open in new tab