Background
ArcaneDoor is the name Cisco Talos gave to an espionage campaign discovered in late 2023 that targeted perimeter network devices — specifically Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) systems. Two vulnerabilities were used: CVE-2024-20353 (this one) and CVE-2024-20359. The attacker, tracked as UAT4356 by Cisco and Storm-1849 by Microsoft, specifically sought out network edge devices because they’re difficult to monitor, often excluded from EDR coverage, and provide excellent persistent access.
ASA and FTD are used as firewalls, VPN concentrators, and intrusion prevention systems at the perimeter of government and critical infrastructure networks. Compromising them provides persistent, stealthy access without needing to touch endpoint devices that security teams monitor more closely.
Technical Mechanism
CVE-2024-20353 is a vulnerability in the management and VPN web servers of ASA and FTD. An unauthenticated remote attacker can trigger a device reload (denial of service) by sending a crafted HTTP request. In the ArcaneDoor campaign context, this was used alongside CVE-2024-20359 (persistent local code execution via a pre-authentication check bypass in the client-less SSL VPN feature) to achieve persistent device compromise.
The CVE-2024-20353 DoS component:
- An attacker sends a specially crafted HTTP request to the management or SSL VPN interface
- The parsing of this request triggers an error condition that causes the device to reload
- During the reload, memory contents may be partially leaked or the crash allows a subsequent exploitation window
In the ArcaneDoor campaign, CVE-2024-20353 was used in combination with CVE-2024-20359 — the former to force a reload that triggered execution of a pre-planted backdoor, and the latter to establish that backdoor in the first place. Two custom implants were identified:
- Line Dancer — an in-memory shellcode loader that processed commands without writing to disk
- Line Runner — a persistent backdoor that survived device reboots by exploiting CVE-2024-20359’s persistence mechanism
Real-World Exploitation Evidence
Cisco Talos’s April 2024 disclosure was the culmination of an investigation that began after a customer reported suspicious device behaviour. Key findings:
- UAT4356 / Storm-1849 — assessed as a state-sponsored threat actor; exact nation-state attribution was not stated in the Cisco disclosure, though analysis from multiple third parties pointed to China-nexus activity
- Government networks specifically targeted — the actor sought out government and critical infrastructure organisations
- Zero-day exploitation — both CVEs were being exploited before Cisco had patches
- Forensic evasion — Line Dancer operated entirely in memory to avoid detection; the actor clearly anticipated forensic investigation
- Supply chain concern — the targeting of network devices rather than endpoints reflects a broader trend of sophisticated actors avoiding heavily monitored infrastructure
Impact Assessment
- Persistent device compromise — Line Runner backdoor survived reboots
- Full device access — read and modify device configuration, intercept traffic
- Network traffic interception — ASA/FTD devices terminate VPN traffic; with device access, encrypted VPN communications are exposed
- Lateral movement enablement — the compromised device provides a foothold in well-defended networks
- Credential access — VPN credentials, pre-shared keys, and certificates accessible from device memory
- Long-term espionage — in-memory execution made the compromise exceptionally difficult to detect without vendor-specific tooling
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Cisco ASA Software | 9.12.x | 9.12.4.38 |
| Cisco ASA Software | 9.14.x | 9.14.4.14 |
| Cisco ASA Software | 9.16.x | 9.16.4.19 |
| Cisco ASA Software | 9.17.x | 9.17.1.42 |
| Cisco ASA Software | 9.18.x | 9.18.3.53 |
| Cisco FTD Software | 7.0.x | 7.0.6.1 |
| Cisco FTD Software | 7.2.x | 7.2.5.1 |
Remediation Steps
- Apply Cisco patches immediately — check the Cisco advisory (cisco-sa-asaftd-persist-rce-FLsNXF4h) for full version matrix
- Use Cisco’s forensic tools to check for Line Dancer/Line Runner indicators:
- Cisco provided specific detection commands in their advisory
- Check for suspicious memory-resident processes:
show memory detail
- Verify device firmware integrity against known-good hashes from Cisco’s download portal
- If compromise is suspected, do not simply reload — the implant may persist; work with Cisco TAC
- Restrict management access to ASA/FTD — management interface should never be internet-accessible
- If SSL VPN is used, audit for any unexpected changes to the VPN configuration or user database
- Review syslog for unexpected device reload events and correlate with the request that triggered them
Detection Guidance
Cisco ASA/FTD logs — look for:
- Unexpected reload events (particularly if triggered by specific HTTP requests)
- Unusual management plane activity
- Memory size anomalies
Cisco detection commands:
show memory region
show version
verify /md5 flash:<filename>Network monitoring — watch for unexpected outbound connections from ASA/FTD management interfaces.
Suricata signature:
alert http any any -> $HTTP_SERVERS any (msg:"Cisco ASA CVE-2024-20353 ArcaneDoor Probe"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"+CSCOE+"; classtype:attempted-admin; sid:2034016; rev:1;)Timeline
| Date | Event |
|---|---|
| Late 2023 | ArcaneDoor campaign begins; zero-day exploitation of CVE-2024-20353 and CVE-2024-20359 |
| Early 2024 | Cisco customer reports suspicious activity; investigation begins |
| 24 April 2024 | Cisco Talos publishes ArcaneDoor report; patches released |
| April 2024 | CISA adds CVE-2024-20353 and CVE-2024-20359 to KEV catalogue |
| April 2024 | Five Eyes intelligence agencies issue joint advisory |