Three New CVEs For CISCO ASA And FTD Software


Executive Summary

The Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on April 24, 2024, regarding actively exploited vulnerabilities within Cisco’s ASA and FTD software. A new Advanced Persistent Threat (APT) group classified as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center was also nicknamed “ArcaneDoor” by researchers earlier this year. ArcaneDoor could take control of a Cisco ASA or FTD system by exploiting three new CVEs: CVE-2024-20353 (CVSS score 8.6), CVE-2024-20359 (CVSS score 6.0), and CVE-2024-20358 (CVSS score 6.0). Cisco has released free software updates for these vulnerabilities. CISA has reported that this vulnerability has been observed to be actively exploited in the wild. CISA strongly recommends affected Cisco customers apply the patches as quickly as their patch policy allows.

Technical Analysis

CVE-2024-20353 (CVSS score 8.6) is a Web Services Denial of Service Vulnerability. An unauthenticated threat actor could remotely reload the Cisco ASA or FTD software. By repeating this exploit, the management and VPN servers would suffer a denial of service (DoS) outage. Threat actors would exploit this vulnerability by sending specially generated HTTP requests to the publicly exposed service. This is one of two zero-day vulnerabilities that have been exploited by threat actors, including ArcaneDoor.

ArcaneDoor is believed to be a state-sponsored cyber espionage group. While researchers are still unsure of the initial intrusion method, backdoors “Line Runner” and “Line Dancer” were observed during campaigns associated with this threat group. Wired reported on this campaign and indicated that this activity appears to align with China’s state interests.

CVE-2024-20359 (CVSS score 6.0) is a Persistent Local Code Execution Vulnerability. A preloading of plug-ins and clients could allow unauthenticated local threat actors to execute code with root-level access. The exploit would require already compromised administrator-level access. This vulnerability was caused by improper file validation when read from system flash memory. Threat actors could load a file to disk0 on the file system. Upon the next device reload, the code would be executed. The vulnerability associated with CVE-2024-20358 (CVSS score 6.0) behaves much in the same way but for Linux operating systems.

What UltraViolet Cyber is Doing

  • UltraViolet Cyber regularly updates our IOC database to ensure alerting is up to date
  • Monitoring commands that are associated with malicious activity from threat actors
  • Monitoring network logs for traffic to known malicious sites


What Customers Can Do

  • For organizations who run Cisco ASA or FTD software, they can check for releases for
    vulnerabilities on the Cisco Software Checker
  • For vulnerable systems, CISA and Cisco recommend applying patch releases to mitigate the
    risk of exploitation from threat actors



Cisco Adaptive Security Appliance and Firepower Threat Defense . (2024, April 24). Retrieved April 25,
2024, from

Cisco Adaptive Security Appliance and Firepower Threat Defense . (2024, April 24). Retrieved April 25,
2024, from

Cisco Adaptive Security Appliance and Firepower Threat Defense . (2024, April 24). Retrieved April 25,
2024, from

Cisco Releases Security Updates Addressing ArcaneDoor . (2024, April 24). Retrieved April 25, 2024,

Cisco Software Checker. Retrieved April 25, 2024, from

Greig, J. CISA: Cisco and CrushFTP vulnerabilities are being actively exploited. (2024, April 24).
Retrieved April 25, 2024, from

NCSC TIP Line Runner. (2024, April 24). Retrieved April 25, 2024, from