UK NCSC Warns of Sophisticated Malware Attacks Exploiting Cisco Firewall Zero-Days
The UK National Cyber Security Centre (NCSC) has issued a warning about the use of zero-day vulnerabilities in Cisco firewalls to deploy novel malware strains, RayInitiator and LINE VIPER. These malware mark a significant evolution in cyber threats, featuring advanced evasion capabilities and increased sophistication.
According to the NCSC, threat actors exploited recently disclosed Cisco firewall flaws (CVE-2025-20362, CVE-2025-20333) in zero-day attacks to deploy these new malware families. The U.K. agency emphasized the importance of organizations taking note of the recommended actions highlighted by Cisco today, particularly on detection and remediation.
"End-of-life technology presents a significant risk for organisations," said Ollie Whitehouse, NCSC Chief Technology Officer. "Systems and devices should be promptly migrated to modern versions to address vulnerabilities and strengthen resilience."
RayInitiator: A Persistent Bootkit
RayInitiator is a persistent, multi-stage GRUB bootkit that has been flashed to Cisco ASA 5500-X devices (many of which are out of support). This malware survives reboots and firmware upgrades, allowing it to persist even after multiple attempts to remove it.
RayInitiator serves as a user-mode loader for LINE VIPER, a malicious shellcode that receives commands through WebVPN client authentication or special network packets. LINE VIPER uses unique tokens and RSA keys per victim to secure its operations.
LINE VIPER: A User-Mode Shellcode Loader
LINE VIPER is a user-mode loader with associated modules that allows the malware to run device commands, capture network traffic, bypass authentication controls, hide log messages, record CLI input, and trigger delayed reboots.
A State-Sponsored Campaign?
According to Cisco's advisory, the attacks were linked to a state-sponsored campaign. In May 2025, Cisco investigated attacks on several government agencies tied to this campaign, which targeted ASA 5500-X firewalls with VPN services enabled.
Cisco's analysis of infected firmware exposed a memory corruption flaw in ASA software. The attackers chained multiple zero-days, disabled logging, and intercepted CLI commands before crashing devices to block forensic checks.
Advanced Evasion Techniques
The attackers employed advanced evasion techniques, including disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis.
Cisco researchers also found that attackers modified ROMMON on older ASA 5500-X devices without Secure Boot or Trust Anchor to persist after reboots. Newer platforms with these protections showed no signs of compromise or persistence.
Targeted Devices and Campaign
Cisco stated that the campaign targeted ASA 5500-X models (9.12/9.14) with VPN web services, but lacked Secure Boot/Trust Anchor. Affected end-of-support devices include 5512-X, 5515-X, 5585-X, and 5525/5545/5555-X (EoS Sept 30, 2025).
Cisco also patched CVE-2025-20363 (CVSS 8.5/9.0), a critical web services flaw in ASA, FTD, IOS, IOS XE, and IOS XR that could enable remote code execution.