CVE-2024-20353 & CVE-2024-20359: ArcaneDoor — State-Sponsored Cisco ASA Zero-Days
How a suspected Chinese nation-state actor (UAT4356 / STORM-1849) chained two Cisco ASA zero-days to plant persistent backdoors on government and critical infrastructure VPN gateways worldwide — with no vendor patch available for weeks
CVE-2024-20353 and CVE-2024-20359 are two zero-day vulnerabilities in Cisco ASA and FTD that were exploited by a suspected Chinese state-sponsored threat actor (UAT4356 / STORM-1849) in a campaign Cisco Talos named ArcaneDoor. The campaign targeted perimeter network devices at government and critical infrastructure organizations worldwide, planting two custom implants — Line Dancer and Line Runner — that provided persistent covert access to the compromised devices. First exploitation was observed in November 2023, five months before Cisco's April 2024 disclosure.
The Two Vulnerabilities and Their Roles in ArcaneDoor
**CVE-2024-20353 — Web Services DoS and Memory Corruption (CVSS 8.6)**: A vulnerability in the web services interface of Cisco ASA and FTD allows an unauthenticated remote attacker to cause the device to reload (denial of service) or — in the exploitation context — trigger a memory corruption condition that provides initial code execution on the device. The web management interface exposure is the entry point.
**CVE-2024-20359 — Persistent Code Execution via Shared Memory (CVSS 6.0 authenticated)**: A vulnerability in the mechanism Cisco ASA uses for pre-shared memory and persistent device storage allows an authenticated attacker to execute arbitrary code with root privileges. Critically, the Line Runner implant leveraged this flaw to survive device reboots and firmware upgrades by embedding in the persistent shared memory region — making remediation more complex than simply rebooting or reimaging.
Line Dancer and Line Runner: The Implant Architecture
The sophistication of ArcaneDoor lies not just in the zero-days but in the custom implants deployed afterward:
**Line Dancer**: An in-memory shellcode loader operating entirely within Cisco ASA's memory space. It intercepts specific crafted HTTPS POST requests sent by the attacker, extracts embedded shellcode payloads, executes them in memory, and returns results — all without writing any files to disk. This design evades file-integrity checking, forensic disk analysis, and most endpoint security tools. Line Dancer capabilities included: executing OS commands, exfiltrating VPN session data and credentials, and pivoting deeper into connected networks.
**Line Runner**: A Lua-based backdoor that exploited CVE-2024-20359 to embed itself in the ASA's persistent shared memory. Line Runner was designed to survive the standard incident response actions of rebooting and firmware updates — an unusual degree of persistence engineering that indicates a sophisticated actor with detailed knowledge of Cisco ASA's internal architecture.
Attack Chain
The ArcaneDoor campaign attack sequence:
Initial Access via CVE-2024-20353
Unauthenticated attacker sends crafted request to exposed Cisco ASA web management or SSL VPN interface. CVE-2024-20353 triggers memory corruption providing initial code execution on the perimeter device.
Line Dancer Implant Deployed
In-memory shellcode loader is installed within the ASA's running memory. No files written to disk. Line Dancer establishes covert C2 channel via crafted HTTPS POST requests.
Persistent Backdoor via CVE-2024-20359
Line Runner Lua backdoor is planted in ASA's persistent shared memory using CVE-2024-20359. This ensures the backdoor survives reboots and firmware upgrades — standard IR actions will not remove it.
VPN Credential Harvesting
Line Dancer intercepts VPN authentication traffic passing through the compromised perimeter device, harvesting credentials for all VPN users authenticating through the gateway.
Network Pivot and Espionage
Using harvested credentials and the ASA's privileged network position, actor pivots to internal targets, exfiltrates intelligence, and maintains persistent access for long-term espionage operations.
Scope and Targeting
Cisco Talos confirmed ArcaneDoor targeted government networks and critical infrastructure across multiple countries. The specific focus on perimeter network devices — rather than endpoint compromise — reflects a deliberate strategy:
- Perimeter devices process all inbound and outbound traffic, enabling passive collection without touching internal hosts - Network appliances typically have less security monitoring than servers and workstations - Compromise of a VPN gateway yields credentials for all VPN users - Persistence on network appliances is harder to detect and evict
This targeting pattern aligns with previous campaigns attributed to Chinese state actors targeting network infrastructure (Volt Typhoon's LOTL techniques on routers, Salt Typhoon's compromise of telecoms).
Detection
Detection for ArcaneDoor requires device-level forensics beyond standard network monitoring:
| Artifact | Type | SHA-256 (Truncated) |
|---|---|---|
| Anomalous executable memory regions in 'show memory region' output on Cisco ASA | Cisco ASA diagnostic — in-memory | Compare 'show memory region' output against a known-clean baseline; Line Dancer manifests as unexpected executable memory regions not associated with standard ASA processes |
| Unknown or unexpected Lua scripts in Cisco ASA persistent shared memory | Cisco ASA persistent storage | Enumerate Lua scripts via ASA CLI; any script not matching the standard Cisco ASA firmware manifest indicates potential Line Runner presence |
| Crafted HTTPS POST requests to the ASA management interface with unusual encoded payloads | Network — SSL inspection / ASA access log | Line Dancer C2 uses specifically crafted POST requests as the command channel; anomalous POST patterns to the management interface warrant investigation |
| ASA device reloads or unexpected process crashes coinciding with inbound management interface requests | Cisco ASA system log / SNMP trap | Failed CVE-2024-20353 exploitation attempts cause device reloads — unexplained reloads correlated with specific source IPs are exploitation indicators |
Any instance of msimg32.dll found outside C:\Windows\System32 is an active IOC. Isolate the host immediately. Full hashes and IOC lists are available via the Cisco Talos GitHub repository.
Remediation
Steps for ArcaneDoor remediation — standard reboot is insufficient:
Apply Cisco's patched ASA and FTD software versions
Cisco released patched software versions for both CVE-2024-20353 and CVE-2024-20359 in April 2024. Upgrade to the patched ASA software version specific to your release train. Verify using Cisco's Software Checker tool. Upgrading firmware addresses the vulnerabilities but does not evict a Line Runner implant already present.
Follow Cisco's ArcaneDoor-specific forensic process before assuming clean
Cisco published specific forensic guidance for detecting Line Dancer (in-memory) and Line Runner (persistent). This includes specific CLI commands for inspecting memory regions and persistent storage. Do not assume a device is clean based on a firmware upgrade alone — Line Runner was specifically engineered to survive upgrades.
If compromise is suspected: full device wipe and reimage
For confirmed or suspected ArcaneDoor compromise, the only reliable remediation is a factory reset (write erase, reload) to completely clear both running memory and persistent storage, followed by reloading clean firmware from a verified Cisco source. Line Runner's persistence mechanism means partial remediation is insufficient.
Restrict management interface exposure
The CVE-2024-20353 entry point requires access to the ASA's web management interface. Immediately restrict access to the management interface to trusted IP ranges only using management access control lists (ACLs). The management interface should never be reachable from the internet.
Rotate all VPN credentials associated with compromised devices
Line Dancer was observed harvesting VPN session credentials. Any device suspected of compromise should trigger mandatory password rotation for all VPN users who authenticated through that gateway during the potential compromise window.
The bottom line
ArcaneDoor is the clearest illustration yet of a sustained nation-state strategy targeting network perimeter devices as a preferred espionage platform — invisible to endpoint security, persistent across standard IR actions, and positioned to passively collect credentials and traffic from every connection they protect. The sophistication of Line Runner's firmware-upgrade-resistant persistence reflects deep investment in Cisco ASA internals by the threat actor. Organizations must treat perimeter network device security with the same rigor as Active Directory and endpoint infrastructure — these devices are not passive conduits, they are high-value targets.
Frequently asked questions
What are CVE-2024-20353 and CVE-2024-20359?
CVE-2024-20353 is a denial-of-service vulnerability in Cisco ASA and FTD web services that can also lead to memory corruption exploitable for code execution. CVE-2024-20359 is a vulnerability in the persistent shared memory of Cisco ASA that allows a previously authenticated attacker to execute code with root privileges at boot time — enabling a persistent backdoor that survives reboots. Together they formed the ArcaneDoor exploit chain.
Who conducted the ArcaneDoor campaign?
Cisco Talos tracks the actor as UAT4356. Microsoft tracks the same cluster as STORM-1849. Both attribute the campaign to a suspected Chinese state-sponsored threat actor based on targeting patterns, tooling sophistication, and infrastructure characteristics — though no country attribution has been formally confirmed publicly.
What backdoors were installed in the ArcaneDoor campaign?
Two custom implants were deployed: Line Dancer, an in-memory shellcode loader that runs in the ASA's memory without touching disk (evading file-based detection), and Line Runner, a Lua-based backdoor that leverages CVE-2024-20359 to achieve persistence across reboots and software upgrades by embedding itself in the device's persistent shared memory.
How do I know if my Cisco ASA was compromised?
Cisco published a specific forensic tool and detection guidance. Key indicators include: unexpected output from 'show memory region' showing anomalous executable memory regions, unknown Lua scripts in the persistent memory, and network traffic anomalies consistent with the Line Dancer C2 protocol. Cisco's ArcaneDoor detection guidance should be followed precisely, as in-memory implants do not leave conventional file-system artifacts.
Sources & references
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.