Cisco ASA and FTD Zero-Day Campaigns: LRQA Threat Intelligence Update
Expert analysis to help you assess exposure and strengthen defences.
Overview
In September 2025, Cisco confirmed two zero-day vulnerabilities affecting ASA and FTD firewall devices were being exploited in a coordinated campaign. LRQA’s Cyber Threat Intelligence team has analysed the incident along with the earlier ArcaneDoor campaign, highlighting details of note for defenders.
This update provides verified intelligence and practical guidance to help organisations assess exposure, detect compromise and apply the latest mitigation measures, if applicable. Even if your organisation does not operate Cisco infrastructure directly, the findings highlight broader risks to connected networks and managed services.
Key takeaways
- The latest campaign exploits two zero-day vulnerabilities affecting Cisco ASA and FTD devices, with evidence linking it to the earlier ArcaneDoor operation.
- The RayInitiator bootkit and LINE VIPER malware demonstrate advanced. persistence, stealth and credential-harvesting techniques.
- Attackers are targeting outdated or unsupported devices that lack secure-boot functionality, increasing long-term exposure.
- Cisco has released detection and mitigation updates, but many organisations remain at risk due to legacy infrastructure.
- The campaign highlights the growing threat to network infrastructure as attackers focus on devices that underpin enterprise connectivity.
Why it matters
Targeted attacks against network infrastructure continue to increase in frequency and sophistication. A compromise at this layer can provide sustained access to credentials, data flows and internal systems.
LRQA’s threat intelligence equips your teams with clear, actionable steps to reduce risk and improve resilience across your environment.
Download the full briefing for in-depth analysis, technical indicators and defensive recommendations from LRQA’s Cyber Threat Intelligence team.
