CVE-2024-20353 & CVE-2024-20359: ArcaneDoor, State-Sponsored Cisco ASA Zero-Days
How a suspected Chinese nation-state actor (UAT4356 / STORM-1849) chained two Cisco ASA zero-days to plant persistent backdoors on government and critical infrastructure VPN gateways worldwide, with no vendor patch available for weeks

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2024-20353 and CVE-2024-20359 are two zero-day vulnerabilities in Cisco ASA and FTD that were exploited by a suspected Chinese state-sponsored threat actor (UAT4356 / STORM-1849) in a campaign Cisco Talos named ArcaneDoor. The campaign targeted perimeter network devices at government and critical infrastructure organizations worldwide, planting two custom implants, Line Dancer and Line Runner, that provided persistent covert access to the compromised devices. First exploitation was observed in November 2023, five months before Cisco's April 2024 disclosure.
The Two Vulnerabilities and Their Roles in ArcaneDoor
CVE-2024-20353, Web Services DoS and Memory Corruption (CVSS 8.6): A vulnerability in the web services interface of Cisco ASA and FTD allows an unauthenticated remote attacker to cause the device to reload (denial of service) or, in the exploitation context, trigger a memory corruption condition that provides initial code execution on the device. The web management interface exposure is the entry point.
CVE-2024-20359, Persistent Code Execution via Shared Memory (CVSS 6.0 authenticated): A vulnerability in the mechanism Cisco ASA uses for pre-shared memory and persistent device storage allows an authenticated attacker to execute arbitrary code with root privileges. Critically, the Line Runner implant leveraged this flaw to survive device reboots and firmware upgrades by embedding in the persistent shared memory region, making remediation more complex than simply rebooting or reimaging.
Line Dancer and Line Runner: The Implant Architecture
The sophistication of ArcaneDoor lies not just in the zero-days but in the custom implants deployed afterward:
Line Dancer: An in-memory shellcode loader operating entirely within Cisco ASA's memory space. It intercepts specific crafted HTTPS POST requests sent by the attacker, extracts embedded shellcode payloads, executes them in memory, and returns results, all without writing any files to disk. This design evades file-integrity checking, forensic disk analysis, and most endpoint security tools. Line Dancer capabilities included: executing OS commands, exfiltrating VPN session data and credentials, and pivoting deeper into connected networks.
Line Runner: A Lua-based backdoor that exploited CVE-2024-20359 to embed itself in the ASA's persistent shared memory. Line Runner was designed to survive the standard incident response actions of rebooting and firmware updates, an unusual degree of persistence engineering that indicates a sophisticated actor with detailed knowledge of Cisco ASA's internal architecture.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Attack Chain
The ArcaneDoor campaign attack sequence:
Initial Access via CVE-2024-20353
Unauthenticated attacker sends crafted request to exposed Cisco ASA web management or SSL VPN interface. CVE-2024-20353 triggers memory corruption providing initial code execution on the perimeter device.
Line Dancer Implant Deployed
In-memory shellcode loader is installed within the ASA's running memory. No files written to disk. Line Dancer establishes covert C2 channel via crafted HTTPS POST requests.
Persistent Backdoor via CVE-2024-20359
Line Runner Lua backdoor is planted in ASA's persistent shared memory using CVE-2024-20359. This ensures the backdoor survives reboots and firmware upgrades, standard IR actions will not remove it.
VPN Credential Harvesting
Line Dancer intercepts VPN authentication traffic passing through the compromised perimeter device, harvesting credentials for all VPN users authenticating through the gateway.
Network Pivot and Espionage
Using harvested credentials and the ASA's privileged network position, actor pivots to internal targets, exfiltrates intelligence, and maintains persistent access for long-term espionage operations.
Scope and Targeting
Cisco Talos confirmed ArcaneDoor targeted government networks and critical infrastructure across multiple countries. The specific focus on perimeter network devices, rather than endpoint compromise, reflects a deliberate strategy:
- Perimeter devices process all inbound and outbound traffic, enabling passive collection without touching internal hosts
- Network appliances typically have less security monitoring than servers and workstations
- Compromise of a VPN gateway yields credentials for all VPN users
- Persistence on network appliances is harder to detect and evict
This targeting pattern aligns with previous campaigns attributed to Chinese state actors targeting network infrastructure (Volt Typhoon's LOTL techniques on routers, Salt Typhoon's compromise of telecoms).
Detection
Detection for ArcaneDoor requires device-level forensics beyond standard network monitoring:
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Remediation
Steps for ArcaneDoor remediation, standard reboot is insufficient:
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
ArcaneDoor is the clearest illustration yet of a sustained nation-state strategy targeting network perimeter devices as a preferred espionage platform, invisible to endpoint security, persistent across standard IR actions, and positioned to passively collect credentials and traffic from every connection they protect. The sophistication of Line Runner's firmware-upgrade-resistant persistence reflects deep investment in Cisco ASA internals by the threat actor. Organizations must treat perimeter network device security with the same rigor as Active Directory and endpoint infrastructure, these devices are not passive conduits, they are high-value targets.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What are CVE-2024-20353 and CVE-2024-20359?
CVE-2024-20353 is a denial-of-service vulnerability in Cisco ASA and FTD web services that can also lead to memory corruption exploitable for code execution. CVE-2024-20359 is a vulnerability in the persistent shared memory of Cisco ASA that allows a previously authenticated attacker to execute code with root privileges at boot time, enabling a persistent backdoor that survives reboots. Together they formed the ArcaneDoor exploit chain.
Who conducted the ArcaneDoor campaign?
Cisco Talos tracks the actor as UAT4356. Microsoft tracks the same cluster as STORM-1849. Both attribute the campaign to a suspected Chinese state-sponsored threat actor based on targeting patterns, tooling sophistication, and infrastructure characteristics, though no country attribution has been formally confirmed publicly.
What backdoors were installed in the ArcaneDoor campaign?
Two custom implants were deployed: Line Dancer, an in-memory shellcode loader that runs in the ASA's memory without touching disk (evading file-based detection), and Line Runner, a Lua-based backdoor that leverages CVE-2024-20359 to achieve persistence across reboots and software upgrades by embedding itself in the device's persistent shared memory.
How do I know if my Cisco ASA was compromised?
Cisco published a specific forensic tool and detection guidance. Key indicators include: unexpected output from 'show memory region' showing anomalous executable memory regions, unknown Lua scripts in the persistent memory, and network traffic anomalies consistent with the Line Dancer C2 protocol. Cisco's ArcaneDoor detection guidance should be followed precisely, as in-memory implants do not leave conventional file-system artifacts.
What is Line Dancer and why is it especially difficult to detect?
Line Dancer is an in-memory shellcode loader that operates entirely within the Cisco ASA device's running memory without writing any components to disk. It intercepts specific crafted HTTPS POST requests from the attacker's infrastructure, extracts shellcode payloads embedded in those requests, executes them in memory, and returns results, all without creating files that file-integrity monitoring or forensic disk analysis would detect. This design specifically evades the two most common network device security checks: file-integrity verification and post-incident disk imaging. Detection requires memory forensics using Cisco's published diagnostic commands to identify anomalous executable memory regions not associated with standard ASA processes.
How does ArcaneDoor fit into the broader pattern of Chinese APT targeting of network devices?
ArcaneDoor is part of a documented pattern of Chinese state-sponsored actors targeting network perimeter devices rather than endpoints as preferred espionage access points. Volt Typhoon (UNC3569) used living-off-the-land techniques on Cisco routers and FortiGate firewalls for persistent access to US critical infrastructure. Salt Typhoon (UNC2286) compromised major US telecommunications carriers by targeting network infrastructure for passive wiretapping. ArcaneDoor (UAT4356 / STORM-1849) targeted Cisco ASA VPN gateways at government and critical infrastructure using zero-days. The strategic logic is consistent: network devices sit in front of all traffic, are rarely monitored at the device level, and provide passive collection capability without touching any endpoint security product.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
