Cisco ASA zero-days | CyberWhite

Cisco ASA zero-days: RayInitiator / LINE VIPER.

Old firewalls, new tricks

The UK NCSC and Cisco detail zero-day exploits against ASA 5500-X firewalls (often EoS), deploying a persistent GRUB bootkit (RayInitiator) and user-mode loader LINE VIPER. Flaws include CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (6.5); a separate CVE-2025-20363 is patched. Tactics: disable logging, intercept CLI, crash devices to hinder forensics; some devices lacked Secure Boot/Trust Anchor. Urgent upgrades and mitigations advised.

State-aligned attackers are owning ageing Cisco ASA firewalls with zero-days, then parking a bootkit (RayInitiator) that loads LINE VIPER to run commands, bypass VPN AAA and hide tracks. Affected models are mostly end-of-support—time to retire them.

Do now: update ASA/FTD, disable exposed web VPN where possible, verify Secure Boot, and monitor for unexpected CLI behaviour or suppressed logs.