Share This:

Cybersecurity Threat AdvisoryTwo vulnerabilities, CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution), were leveraged to create backdoors by a state-sponsored cyber-espionage group, ArcaneDoor, in Cisco firewalls. Review the recommendations in this Cybersecurity Threat Advisory to protect your firewall appliances now.

What is the threat?

Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls had two critical vulnerabilities exploited:

  • CVE-2024-20353: Denial-of-Service (DoS) vulnerability. Allows attackers to disrupt services on the targeted firewall, potentially leading to a system crash or reboot, providing an opportunity for further exploitation.
  • CVE-2024-20359: Persistent local code execution vulnerability. Enables attackers to execute arbitrary code with root-level privileges, giving them complete control over the compromised device. This allows for the installation of backdoors, exfiltration of sensitive data, and further exploitation of the network.

Why is it noteworthy?

The campaign leverages two zero-day vulnerabilities, indicating a high level of sophistication and suggesting the involvement of a well-resourced threat actor, likely state-sponsored. The attacks focus on network perimeter devices crucial for data transfer and security, highlights the potential for widespread impact, and underscores the importance of promptly patching and securing these devices. The use of custom malware and advanced techniques like memory-resident implants and evasion tactics further emphasize the severity and the need for heightened vigilance.

What is the exposure or risk?

The vulnerabilities exploited in the ArcaneDoor campaign affect ASA and FTD firewalls which are critical components in network security. If leveraged, these vulnerabilities could allow attackers to gain unauthorized access to sensitive network configurations, intercept and modify network traffic, and execute arbitrary code with elevated privileges. This could lead to further compromise of internal networks, data theft, and disruption of critical services. Organizations using affected Cisco devices are at high risk of damage due to the potential for extensive network compromise and data exfiltration.

What are the recommendations?

Barracuda MSP recommends the following actions to protect your firewall appliances against this threat:

  • Apply the security patches provided by Cisco to fix the CVE-2024-20353 and CVE-2024-20359 vulnerabilities.
  • Enable strong, multi-factor authentication (MFA) on all network devices, including Cisco ASA and FTD firewalls.
  • Monitor system logs for any signs of unscheduled reboots, unauthorized configuration changes, or suspicious credential activity.
  • Regularly update hardware and software to the latest versions.


For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.

Share This:
Anika Jishan

Posted by Anika Jishan

Anika is a Cybersecurity Analyst at Barracuda MSP. She's a security expert, working on our Blue Team within our Security Operations Center. Anika supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

Leave a reply

Your email address will not be published. Required fields are marked *