Cisco published advisories and a supplemental post about three zero-day vulnerabilities, two of which were exploited in the wild by an advanced threat actor associated with the ArcaneDoor campaign. The two flaws, CVE-2025-20333 and CVE-2025-20362, when combined or “chained” together, would give an attacker full control over the vulnerable device.

FAQ from Tenable documented here.

Comment below attributed to Satnam Narang, sr. staff research engineer, Tenable

“Two of the three vulnerabilities patched by Cisco today were exploited in the wild by UAT4356 (also known as Storm-1849), a threat actor associated with last year’s ArcaneDoor campaign, which also targeted Cisco devices. The two flaws, CVE-2025-20333 and CVE-2025-20362, when combined or “chained” together, would give an attacker full control over the vulnerable device.

In the ArcaneDoor campaign, UAT4356 focused on espionage-related activity, deploying ‘LINE RUNNER’ and ’LINE DANCER,’ two backdoors onto compromised systems to aid in follow-on activity. According to the UK’s National Cyber Security Centre (NCSC), UAT4356 deployed two new pieces of malware: The first, RayInitiator, is a multi-stage bootkit designed for persistence even if a device is rebooted or upgraded. The NCSC called this bootkit ‘sophisticated.’ The second, LINE VIPER, is a user-mode shellcode loader that deploys modular payloads to enable various post-compromise activities. It can be tasked and controlled through either HTTPS-based WebVPN sessions or through Internet Control Message Protocol (ICMP).”