Executive Summary

Recent intelligence confirms that critical vulnerabilities in Cisco firewall products, specifically Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD), are being actively exploited in the wild. The vulnerabilities, tracked as CVE-2024-20353, CVE-2024-20359, and more recently CVE-2024-20362, enable remote attackers to bypass authentication and execute arbitrary code, leading to full device compromise. Notably, these flaws are now being leveraged to launch denial-of-service (DoS) attacks, forcing targeted firewalls into persistent reboot loops and rendering them inoperable. The exploitation is attributed to a sophisticated, state-sponsored threat actor, with a campaign that has evolved from targeted espionage to widespread service disruption. The scale and impact of these attacks have prompted emergency directives from government agencies and highlight the urgent need for immediate mitigation.

Threat Actor Profile

The primary threat actor exploiting these Cisco firewall vulnerabilities is identified as UAT4356, also known as STORM-1849 in Microsoft’s threat taxonomy. This group is believed to be state-sponsored, exhibiting advanced persistent threat (APT) characteristics. UAT4356 has a history of targeting network edge devices, particularly those used by government, critical infrastructure, and large enterprise organizations. The group’s tactics, techniques, and procedures (TTPs) are highly sophisticated, involving custom malware, in-memory payloads, and exploitation of zero-day vulnerabilities. The campaign, dubbed ArcaneDoor, demonstrates a strategic focus on gaining persistent access to network perimeters, enabling both espionage and disruptive operations. The group’s operational security and technical acumen suggest significant resources and a high level of intent.

Technical Analysis of Malware/TTPs

The exploitation chain typically begins with the abuse of CVE-2024-20362, an authentication bypass vulnerability in the web services interface of Cisco ASA and FTD devices. This flaw allows unauthenticated attackers to access restricted endpoints, setting the stage for further compromise. Once access is gained, attackers exploit CVE-2024-20353 or CVE-2024-20359 to achieve remote code execution (RCE) as root. The attack chain is often executed via crafted HTTP requests to the VPN web server, exploiting improper input validation and session management.

Upon successful exploitation, the threat actor deploys custom malware, notably the Line Dancer in-memory shellcode loader and the Line Runner persistent backdoor. Line Dancer enables the execution of arbitrary shellcode directly in memory, facilitating stealthy post-exploitation activities without leaving artifacts on disk. Line Runner is used to establish long-term persistence, often by modifying the device’s ROMMON (bootloader) on models lacking Secure Boot or Trust Anchor technologies. The malware is capable of command execution, data exfiltration, and lateral movement.

In the latest wave of attacks, adversaries are abusing these vulnerabilities to trigger repeated device reloads, effectively causing a denial-of-service condition. This is achieved by sending malformed or malicious requests that exploit the authentication bypass and RCE flaws, forcing the firewall to crash and reboot continuously. The result is a persistent DoS state, disrupting network operations and potentially masking further malicious activity.

The TTPs observed align with the following MITRE ATT&CK techniques: Exploit Public-Facing Application (T1190), Exploitation of Remote Services (T1210), Command and Scripting Interpreter (T1059), and Ingress Tool Transfer (T1105).

Exploitation in the Wild

Active exploitation of these Cisco firewall vulnerabilities has been observed globally, with a significant concentration in government, critical infrastructure, and large enterprise environments. According to data from the Shadowserver Foundation, over 34,000 internet-exposed ASA and FTD devices remain vulnerable, a decrease from nearly 50,000 in previous months but still representing a substantial attack surface.

Attackers are leveraging automated scanning and exploitation tools to identify and compromise unpatched devices. The exploitation is not limited to targeted espionage; recent campaigns have shifted towards causing widespread disruption through DoS attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued emergency directives requiring federal agencies to patch or disconnect affected devices within 24 hours, underscoring the severity of the threat.

Public reports from BleepingComputer, Cisco, and Tenable confirm that exploitation is ongoing, with attackers using both known and novel techniques to bypass security controls. The attacks are often difficult to detect, as the malware operates in memory and leverages legitimate device functionality to evade traditional security monitoring.

Victimology and Targeting

The primary victims of these attacks are organizations operating Cisco ASA and FTD firewalls with internet-exposed management interfaces or VPN web services enabled. Sectors most affected include government agencies, critical infrastructure providers (such as energy, water, and transportation), financial institutions, and large enterprises with distributed networks.

Geographically, the attacks have a global footprint, with confirmed incidents in the United States, Europe, the Middle East, and Asia-Pacific regions. U.S. federal agencies have been specifically targeted, prompting coordinated response efforts. The attackers demonstrate a preference for high-value targets where firewall compromise can yield significant intelligence or operational disruption.

Devices running unsupported or end-of-support (EoS) versions of Cisco ASA software are particularly at risk, as they do not receive security updates and are often overlooked in patch management processes. The presence of legacy devices in critical network segments increases the likelihood of successful exploitation and subsequent impact.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by these actively exploited vulnerabilities. Organizations should apply all relevant Cisco security updates for ASA and FTD devices without delay. Patches addressing CVE-2024-20353, CVE-2024-20359, and CVE-2024-20362 are available from Cisco and should be prioritized for deployment.

Unsupported or end-of-support devices must be removed from production networks, as mandated by CISA and other regulatory bodies. Where patching is not immediately possible, organizations should disable VPN web services and restrict management access to trusted internal networks only.

Continuous monitoring for indicators of compromise (IOCs) is essential. Key IOCs include unexpected device reloads or reboots, unauthorized access to restricted URLs, and the presence of Line Dancer or Line Runner malware. Network traffic should be analyzed for anomalous patterns indicative of exploitation attempts.

Forensic analysis of potentially compromised devices should include inspection of ROMMON modifications and memory-resident malware. In cases of confirmed compromise, a full device reset to factory defaults, followed by reconfiguration with new credentials and certificates, is recommended.

Organizations are encouraged to leverage network segmentation to limit the exposure of critical assets and to implement robust access controls for firewall management interfaces. Regular vulnerability scanning, using tools such as those provided by Shadowserver, can help identify at-risk devices.

References

BleepingComputer: Cisco: Actively exploited firewall flaws now abused for DoS attacks

Cisco Event Response: Continued Attacks Against Cisco Firewalls

CISA Alert: Cisco Releases Security Updates Addressing ArcaneDoor Vulnerabilities

NCSC UK: Exploitation of vulnerabilities affecting Cisco firewall platforms

Tenable: CVE-2024-20353, CVE-2024-20359, CVE-2024-20362: Cisco Zero-Days Exploited

MITRE ATT&CK: T1190, T1210, T1059, T1105

Shadowserver: Cisco ASA/FTD Vulnerability Scan Results

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help safeguard your organization’s digital ecosystem, we invite you to contact us.

We are happy to answer questions at ops@rescana.com.