The NCSC warns of a persistent malware campaign targeting Cisco ASA 5500-X series devices, leveraging a new 0-day vulnerability to deploy sophisticated RayInitiator and LINE VIPER malware.
Today, the National Cyber Security Centre (NCSC) – part of GCHQ – issued further advice to help network defenders mitigate a sustained malware campaign exploiting a previously unknown vulnerability in Cisco Adaptive Security Appliance (ASA) 5500-X series firewalls. WhataWin Via Getty Images
In a significant update to a campaign first exposed last year, Cisco confirmed that the same threat actor has leveraged new flaws in ASA devices to implant two advanced malware families: RayInitiator and LINE VIPER.
Both strains enable remote command execution, persistent backdoor access, and potential data exfiltration from compromised firewalls.
The NCSC is urging organisations operating affected ASA models to review Cisco’s recommended remediation steps without delay.
Key actions include applying the latest security updates for ASA and Firepower Threat Defense (FTD) platforms, auditing device logs for indicators of compromise, and isolating any systems showing anomalous behavior.
A detailed malware analysis report, published by the NCSC, provides defenders with signatures, network patterns, and forensic guidance to detect RayInitiator and LINE VIPER infections.
Cisco has published technical advisories outlining the vulnerability details, attack chain, and mitigation strategies.
The flaw affects ASA 5500-X series devices running certain firmware versions and is exploited via specially crafted network packets that bypass authentication controls.
Once exploited, the attacker gains root-level access, allowing them to deploy custom payloads and maintain persistence.
The advisory warns that several ASA 5500-X models will reach end-of-support between September 2025 and August 2026.
The NCSC strongly recommends organisations replace or upgrade obsolete units wherever feasible, as unsupported devices pose significant security risks and lack vendor patches.
NCSC Chief Technology Officer Ollie Whitehouse emphasized the importance of proactive defense:
“It is critical for organisations to take note of Cisco’s recommended detection and remediation actions.
We strongly encourage defenders to leverage our malware analysis report to inform their investigations.
End-of-life technology presents a significant risk—systems should be migrated to supported versions to strengthen resilience.”
This alert follows a joint advisory published last year with international partners, detailing earlier malware variants known as LINE DANCER and LINE RUNNER.
RayInitiator and LINE VIPER represent an evolution in both sophistication and stealth techniques, featuring advanced encryption routines and evasion of signature-based detection.
Organisations are advised to consult the NCSC’s device security guidance for best practices on managing end-of-life hardware, including network segmentation, strict access controls, and continuous monitoring.
Immediate detection measures include scanning for irregular outbound connections, unexpected process execution, and modification of ASA configuration files.
Network operators should report any confirmations of compromise to the NCSC’s incident response team.
Early reporting can help coordinate a broader defense and share threat intelligence across the community.
Further details and remediation resources are available in the NCSC’s dedicated malware analysis report and Cisco’s security advisories.
With Windows 10 reaching its own end-of-life milestone in October 2025, the NCSC also recommends organisations accelerate migration to supported platforms and maintain rigorous patch management policies across all network devices.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Today, the National Cyber Security Centre (NCSC) – part of GCHQ – issued further advice to help network defenders mitigate){kind=link}