Image by Denny Bú, from Unsplash
NCSC Issues Urgent Warning On Malware Targeting Cisco Devices
Reading time: 2 min
Last Updated: Sep 26, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
The National Cyber Security Centre (NCSC) of the UK has released a new alert about an ongoing malware attack, which targets specific Cisco devices, urging organizations to take immediate protective measures.
In a rush? Here are the quick facts:
- Attackers exploited new flaws to implant malware, execute commands, and steal data.
- Cisco detection guide highlights suppressed system logs and disabled memory checks.
- Attackers use stolen credentials, creating “impossible travel” login scenarios.
In a new update, Cisco confirmed that the same threat actor behind last year’s ArcaneDoor campaign is now exploiting new flaws in Cisco Adaptive Security Appliance (ASA) 5500-X Series devices.
The networking tools of Cisco include routers, switches, and firewalls which direct and protect internet traffic. They’re widely used by companies and governments to connect systems, enable remote access, and safeguard sensitive data.
Attackers have managed to place malware into systems while performing commands and obtaining sensitive data from compromised systems.
The NCSC has published detailed analysis of two new malware strains, named RayInitiator and LINE VIPER, which represent a more advanced evolution of malware seen in the earlier campaign. NCSC says that organisations need to check their systems right away according to Cisco remediation guidance.
Ollie Whitehouse, NCSC’s Chief Technology Officer, said: “It is critical for organisations to take note of the recommended actions highlighted by Cisco today, particularly on detection and remediation. We strongly encourage network defenders to follow vendor best practices and engage with the NCSC’s malware analysis report to assist with their investigations.”
End-of-life technology presents a significant risk for organisations. Systems and devices should be promptly migrated to modern versions to address vulnerabilities and strengthen resilience,” Whitehouse concluded.
Cisco has also issued a detailed detection guide for network defenders. It explains how attackers may try to hide their activity, including suppressing system logs, disabling memory checks, and using stolen credentials to create “impossible travel” scenarios, where the same user logs in from distant locations in an unrealistic timeframe.
Only certain Cisco ASA 5500-X models running specific software versions with VPN services enabled have been confirmed as compromised. Cisco and the NCSC recommend users to update their devices, check their logs and replace all unsupported equipment as it creates a growing security threat.
Previous Story
Latest articles 
