Cisco Security Advisory
Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense
-
On April 23, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an update to V1: Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices related to Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) products.
According to the update, the ArcaneDoor threat actor has developed a previously unknown persistence mechanism that is preserved across upgrading to the fixed releases that were published in September 2025. This persistence mechanism resides in the Cisco Firepower eXtensible Operating System (FXOS) Software base operating system for Cisco Secure Firewall ASA Software and Cisco Secure FTD Software installations on the affected hardware platforms.
Note: According to the intelligence Cisco PSIRT has received to date, the initial compromise, begins with the attacker exploiting the following vulnerabilities before customers upgraded to the fixed releases that were made available in September 2025:
- CVE-2025-20333: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability
- CVE-2025-20362: Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability
For more information about the fixed releases that were made available in September 2025, see Cisco Event Response: Continued Attacks Against Cisco Firewalls.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-CISAED25-03
-
The following Cisco Secure Firewall ASA and Cisco Secure FTD platforms are affected by this issue, regardless of the device configuration:
- Firepower 1000 Series
- Firepower 2100 Series
- Firepower 4100 Series
- Firepower 9300 Series
- Secure Firewall 1200 Series
- Secure Firewall 3100 Series
- Secure Firewall 4200 Series
The following Cisco Secure Firewall ASA and Cisco Secure FTD platforms are not affected by this issue:
- ASA 5500-X Series
- Secure Firewall 200 Series1
- Secure Firewall 6100 Series1
- Secure Firewall ASA Virtual
- Secure Firewall ISA3000
- Secure Firewall Threat Defense Virtual
1. Cisco Secure Firewall 200 and 6100 Series are only supported by Cisco Secure FTD Software releases 10.0.0 and later. The 10.0.0 software releases include the fixes for the vulnerabilities disclosed in September 2025.
-
For additional details, see the Cisco Talos blog UAT-4356's Targeting of Cisco Firepower Devices.
-
The newly discovered persistent implant is known to start a malicious process called lina_cs. To check for the presence of this process, use the command show kernel process | include lina_cs on the device. If the show kernel process | include lina_cs command returns any output, as shown in the following example, the device is considered compromised:
Cisco Secure Firewall ASA
asa# show kernel process | include lina_cs
68081 29428 20 0 249856 100 1 S 3 0 0 lina_csCisco Secure FTD
> show kernel process | include lina_cs
68081 29428 20 0 249856 100 1 S 3 0 0 lina_csNote: The lina_cs process name could change, depending on the specific design of the implant, so the indicators of compromise (IOC) in this section may not conclusively identify the persistent implant.
Detecting a False Positive
In some cases, Cisco has observed the legitimate lina_cs process getting stuck on a device that is running Cisco Secure Firewall ASA Software, causing it to be reported in the output of the show kernel process | include lina_cs command permanently. To ensure that the lina_cs process being observed is not a false positive, perform the following steps:
Step 1. Run the show kernel process | include lina_cs command, to confirm if the lina_cs process is running, if running continue to Step 2.
Step 2. Run the verify command against an ASDM image located on disk0:. An ASDM image must be used with the verify command.ciscoasa# verify disk0:/asdm.bin
Verifying file integrity of disk0:/asdm.bin
...
Signature VerifiedStep 3. Run the show kernel process | include lina_cs command to confirm if the lina_cs process is still running.
For information about mitigations, see the Workarounds section of this advisory.
-
To fully remove the persistence mechanism, Cisco strongly recommends reimaging and upgrading the device using the fixed releases that are listed in the Fixed Software section of this advisory. For more information, see the reimaging documentation for the specific product:
- Cisco Secure Firewall ASA and Threat Defense Reimage Guide
- Perform a Complete Reimage for FXOS in Firepower 4100 and 9300 Series
- Reimage a Secure FTD for 1000, 2100, and 3100 Series
Cisco recommends reimaging and upgrading to a fixed release that is listed in the Fixed Software section of this advisory.
In cases of confirmed compromise on any Cisco Secure ASA or FTD platforms, all configuration elements of the device should be considered untrusted. Cisco recommends that all configurations - especially local passwords, certificates, and keys - be reconfigured and that all certificates and keys are regenerated.
Alternative Mitigation (not recommended): The following action can mitigate this issue until reimaging can be performed:A cold restart will remove the malicious persistent implant. The shutdown, reboot, and reload CLI commands will not clear the malicious persistent implant, the power cord must be pulled out and plugged back in the device.
Important: Disconnecting device power can risk database or disk corruption, and devices might not boot or run as expected. For this reason, Cisco strongly recommends reimaging the device instead if a compromise is suspected.
-
In the following tables, the left column lists Cisco software trains. The right column indicates the first fixed release for each software train.
If a device is confirmed compromised, as outlined in the Indicators of Compromise section of this advisory, the device should be reimaging and upgraded using one of the following fixed releases.
Secure Firewall ASA Software
Cisco Secure Firewall ASA Software Code Train First Fixed Release 9.16 9.16.4.92 9.18 9.18.4.135 9.20 9.20.4.30 9.22 9.22.3.5 9.23 9.23.1.321 9.24 9.24.1.111 1. Cisco Secure Firewall ASA Engineer Specials 9.23.1.195 and 9.24.1.155 also contain these fixes.Secure FTD Software
Cisco Secure FTD Software Code Train First Fixed Release 7.0 7.0.9 followed by Hotfix FZ-7.0.9.1-3
Cisco_FTD_Hotfix_FZ-7.0.9.1-3.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_FZ-7.0.9.1-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_FZ-7.0.9.1-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_FZ-7.0.9.1-3.sh.REL.tar7.2 7.2.11 followed by Hotfix HI-7.2.11.1-1
Cisco_FTD_Hotfix_HI-7.2.11.1-1.sh.REL.tarCisco_FTD_SSP_FP1K_Hotfix_HI-7.2.11.1-1.sh.REL.tarCisco_FTD_SSP_FP2K_Hotfix_HI-7.2.11.1-1.sh.REL.tarCisco_FTD_SSP_FP3K_Hotfix_HI-7.2.11.1-1.sh.REL.tarCisco_FTD_SSP_Hotfix_HI-7.2.11.1-1.sh.REL.tar7.4 7.4.7 7.6 7.6.4 followed by Hotfix CC-7.6.4.1-1
Cisco_FTD_Hotfix_CC-7.6.4.1-1.sh.REL.tarCisco_FTD_SSP_FP1K_Hotfix_CC-7.6.4.1-1.sh.REL.tarCisco_FTD_SSP_FP3K_Hotfix_CC-7.6.4.1-1.sh.REL.tarCisco_FTD_SSP_Hotfix_CC-7.6.4.1-1.sh.REL.tarCisco_Secure_FW_TD_4200_Hotfix_CC-7.6.4.1-1.sh.REL.tar7.7 7.7.11 followed by Hotfix AE-7.7.11.1-4
Cisco_FTD_Hotfix_AE-7.7.11.1-4.sh.REL.tarCisco_FTD_SSP_FP1K_Hotfix_AE-7.7.11.1-4.sh.REL.tarCisco_FTD_SSP_FP3K_Hotfix_AE-7.7.11.1-4.sh.REL.tarCisco_FTD_SSP_Hotfix_AE-7.7.11.1-4.sh.REL.tarCisco_Secure_FW_TD_4200_Hotfix_AE-7.7.11.1-4.sh.REL.tar10.0 10.0.0 followed by Hotfix I-10.0.0.1-4
Cisco_FTD_Hotfix_I-10.0.0.1-4.sh.REL.tarCisco_FTD_SSP_FP1K_Hotfix_I-10.0.0.1-4.sh.REL.tarCisco_FTD_SSP_FP3K_Hotfix_I-10.0.0.1-4.sh.REL.tarCisco_FTD_SSP_Hotfix_I-10.0.0.1-4.sh.REL.tarCisco_Secure_FW_TD_4200_Hotfix_I-10.0.0.1-4.sh.REL.tarFor details about downloading and installing these hot fixes, see Cisco Secure Firewall Threat Defense/Firepower Hotfix Release Notes.
Firepower 4100 and 9300 Security Appliance
Cisco Firepower 4100 and 9300 Security Appliance First Fixed Release 2.10 2.10.1.383 2.12 2.12.1.117 2,14 2.14.3.125 2.16 2.16.2.119 2.17 2.17.0.549 2.18 2.18.0.535 Note: For Cisco Firepower 4100 and 9300 Security Appliances, information about downloading Cisco FXOS code trains is available in Cisco Firepower 4100/9300 FXOS Compatibility.
The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.
-
The Cisco PSIRT is aware of active exploitation of this issue.
-
Cisco would like to thank the U.S. Cybersecurity and Infrastructure Security Agency (CISA) for its collaboration during this investigation.
-
Show LessVersion Description Section Status Date 1.3 Updated the Fixed Release table for Cisco Secure ASA and FTD. Fixed Releases Final 2026-MAY-19 1.2 Added information about detecting a false positive compromise. Updated the Secure Firewall ASA Fixed Software table. Indicators of Compromise and Fixed Software Final 2026-APR-30 1.1 Simplified indicators of compromise and added information regarding workarounds. Indicators of Compromise and Workarounds Final 2026-APR-24 1.0 Initial public release. - Final 2026-APR-23
-
SOFTWARE DOWNLOADS AND TECHNICAL SUPPORT
The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. Please note that customers may download only software that was procured from Cisco directly or through a Cisco authorized reseller or partner and for which the license is still valid.
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC). Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
When considering software upgrades, customers are advised to regularly consult the advisories for the relevant Cisco products to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
LEGAL DISCLAIMER DETAILS
CISCO DOES NOT MAKE ANY EXPRESS OR IMPLIED GUARANTEES OR WARRANTIES OF ANY KIND, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. WITHOUT LIMITING THE GENERALITY OF THE FOREGOING, CISCO DOES NOT GUARANTEE THE ACCURACY OR COMPLETENESS OF THIS INFORMATION. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
Copies or summaries of the information contained in this Security Advisory may lack important information or contain factual errors. Customers are advised to visit the Cisco Security Advisories page for the most recent version of this Security Advisory. The Cisco Product Security Incident Response Team (PSIRT) assesses only the affected and fixed release information that is documented in this advisory. See the Cisco Security Vulnerability Policy for more information.