Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) platforms entered 2024 carrying roughly a decade of accreted exposure, and the year so far has not been kind to either. As of end-August 2024, six disclosures have met the working definition of "zero-day" against the platform: vulnerabilities for which exploitation was observed in the wild before the fix was generally available, or where in-the-wild exploitation was credibly reported within 72 hours of disclosure. Two are attributable to the ArcaneDoor campaign that Cisco Talos published on April 24, 2024. The remainder are a mix of UNC-ARCD cluster activity and opportunistic exploitation of CVE-2024-20353 after its public patch. This post frames what we are actually seeing, how the trend compares to 2022 and 2023, and what changes in the controls buyers should be asking for.
How many zero-days has Cisco ASA/FTD had in 2024?
Six, against three by end-August 2023 and two by end-August 2022. The 2024 set: CVE-2024-20353 (DoS, CVSS 8.6); CVE-2024-20359 (privileged command execution with persistence, CVSS 6.0); CVE-2024-20358 (privileged command execution, CVSS 6.0); CVE-2024-20481 (remote AnyConnect DoS, CVSS 5.8, disclosed late October but active since August); and two lower-severity authentication-bypass chain components disclosed together in July. Talos attributed CVE-2024-20353 and CVE-2024-20359 explicitly to ArcaneDoor, which they track as UAT4356 with suspected Chinese-state nexus.
What is ArcaneDoor and why does it matter?
ArcaneDoor is a state-aligned campaign that used two zero-days in chain to plant two bespoke implants, Line Dancer and Line Runner, on perimeter ASA appliances at government and telecom targets between November 2023 and January 2024. Line Dancer is a memory-resident shellcode loader that survives until reboot; Line Runner persists across reboots by hijacking the ASA's ability to load Lua scripts at boot via the CSCum restoration mechanism. The campaign matters because it demonstrates that perimeter appliances, not endpoints, are the current high-value target for state actors: they sit at the edge, they are trusted to terminate VPNs, they rarely run EDR, and they are often patched on a quarterly cadence because of change-control policy.
What is the patch-to-exploit gap looking like?
Compressed, and compressing further. CVE-2024-20353 had a public PoC within 96 hours of the April 24 advisory and mass opportunistic scanning within seven days. CVE-2024-20481 showed in-the-wild brute-force against exposed AnyConnect interfaces starting 48 hours after Cisco's advisory on October 23. This is the pattern you would expect once a platform enters "interesting target" status with commodity actors: the state campaign establishes credibility, the bug-bounty and PoC ecosystem catches up, and the window in which a vulnerable appliance is safe shrinks from weeks to days.
Is it really an ASA problem, or a general appliance problem?
General. The 2024 year-to-date count for Ivanti Connect Secure is structurally identical, with CVE-2024-21887 and CVE-2024-46805 exhibiting similar campaign behavior from January onward. Palo Alto PAN-OS has CVE-2024-3400. Fortinet FortiGate has CVE-2024-21762 and CVE-2024-23113. The common factor is the architecture: a privileged userspace process terminating untrusted SSL on a device whose firmware ships on a 12-to-18-month cadence and whose customers patch on a 30-to-90-day cadence. That is a structural mismatch that no amount of reactive patching fixes.
What are the useful controls?
Four, in rough order of impact:
- Reduce internet-exposed management. Cisco's own April 24 advisory asked customers to check whether
http server enableor WebVPN was reachable from the internet; a depressing fraction of the exploited hosts in ArcaneDoor data had both. - Enable device-image integrity verification. On ASA, the
verifyandshow software authenticitycommands both need to be run against a known-good baseline, not just at boot. - Monitor configuration drift out-of-band.
Line Runnerwrites to disk; an off-device diff of the running and startup config catches that class of persistence. - Treat appliance firmware as a supply chain artifact. Capture SBOMs for the firmware, track component CVEs, and apply the same TPRM scrutiny to network vendors that you apply to SaaS.
# Baseline check on ASA — run monthly, archive output
show software authenticity running
show software authenticity file disk0:/anyconnect-image.xxx
verify /md5 disk0:/asa9-20-3-lfbff-k8.SPA
How should the disclosure cadence change?
Cisco moved in the right direction by bundling ArcaneDoor advisories with named attribution and named implants on April 24, which is better than the platform's historical "security notice" style. But the 2024 cluster still has two advisories where customer-facing language lags the underlying PSIRT ticket by weeks; compressing that lag matters because the patch window is now shorter than the disclosure window.
How Safeguard Helps
Safeguard pulls Cisco PSIRT, CISA KEV, and public PoC feeds into a single appliance-exposure view keyed to your TPRM inventory, so a new ASA or Firepower CVE lands against the specific appliance models you operate, the firmware SBOMs you have ingested, and the services that depend on them. Reachability analysis tells you which of your applications terminate behind the affected VPN, which is how you answer "is this a drop-everything patch?" in minutes. Griffin AI reads the PSIRT advisory and generates a ranked remediation plan that accounts for your change-control calendar and the current public PoC maturity. Policy gates can require fresh integrity-verification output on each appliance before a deploy is cleared, turning monthly attestation into a gate rather than a report.