Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Cisco ASA and FTD Persistent Local Code Execution Vulnerability

IdentifiersCVE-2024-20359CWE-20

CVE-2024-20359 is a persistent local code execution vulnerability in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The flaw affects a legacy capability used to preload VPN clients and plug-ins. It is caused by improper validation of a file read from system flash memory. Cisco and supporting reporting indicate that, at boot, affected ASA devices look on disk0: for a ZIP file matching the pattern ^client_bundle[%w_-]*%.zip$, automatically unzip it, and execute csco_config.lua from the bundle as part of the WebVPN plug-in/client bundle handling path. An authenticated local attacker with administrator privileges can exploit the issue by copying a crafted file to the disk0: filesystem of an affected device. On the next device reload, the malicious bundle is processed and attacker-controlled code is executed with root privileges. Reporting tied to ArcaneDoor further associates this behavior with the LINE RUNNER implant, which abused the mechanism for persistent Lua-based backdoor installation.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution with root-level privileges on the affected device. Because execution is triggered during boot from attacker-supplied content stored on flash, the resulting compromise can persist across reboots and alter system behavior. In observed exploitation associated with ArcaneDoor, the vulnerability was used to install persistent malware on perimeter devices, enabling long-term footholds, espionage activity, configuration manipulation, traffic capture, data theft, and follow-on access.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by disabling WebVPN/clientless SSL VPN functionality where operationally feasible, especially on unsupported or internet-exposed devices, and restrict administrative/local write access to the appliance and its disk0: filesystem. Monitor for suspicious files on disk0: matching the client bundle naming pattern, unexpected WebVPN customization artifacts, and indicators associated with LINE RUNNER/LINE DANCER. Review Cisco Talos, Cisco PSIRT, and partner agency guidance for IOCs and forensic procedures. However, the content indicates the effective corrective action is installation of Cisco's security updates.

Remediation

Patch, then assume compromise.

Apply Cisco's fixed software releases for affected ASA and FTD versions. Supporting content indicates fixed ASA releases include 9.12.4.67, 9.16.4.57, 9.18.4.22, 9.19.1.28, and 9.20.2.10, and fixed FTD releases include 7.0.6.2, 7.2.6, and 7.4.1.1, with earlier vulnerable releases requiring upgrade as appropriate. Cisco also published incident response and forensic guidance for ArcaneDoor-related activity; organizations should investigate affected devices for compromise indicators when patching and follow Cisco/Talos integrity-check guidance before returning devices to service.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Cisco SystemsAdaptive Security Appliance Softwareoperating_system
Cisco SystemsAsaapplication
Cisco SystemsFirepower Threat Defenseapplication
Cisco SystemsFirepower Threat Defense Softwareapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

24 SOURCESView more in app
osint team blogNews
May 8, 2026
Uncovering FIRESTARTER: Ongoing Cisco ASA Compromise Despite Patch Deployment | by Criminal IP | May, 2026 | OSINT Team

A Cisco ASA zero-day vulnerability referenced as part of the 2024 ArcaneDoor campaign and used to deploy malware on targeted devices.

Read more
bleeping computerNews
Nov 13, 2025
CISA warns feds to fully patch actively exploited Cisco flaws

A zero-day vulnerability in Cisco devices exploited as part of the ArcaneDoor campaign to breach government networks.

Read more
cso onlineNews
Oct 20, 2025
Network security devices endanger orgs with ’90s era flaws

A vulnerability in Cisco Adaptive Security Appliance allowing arbitrary code execution.

Read more
bleeping computerNews
Sep 25, 2025
CISA orders agencies to patch Cisco flaws exploited in zero-day attacks

A zero-day vulnerability in Cisco ASA and FTD software exploited as part of the ArcaneDoor campaign to breach government networks.

Read more
+17 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence7

Every observed campaign linking this CVE to a named adversary.

Associated malware9

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-20359
NVD
nvd.nist.gov/vuln/detail/CVE-2024-20359
MITRE CWE · CWE-20
cwe.mitre.org
Vendor Advisory
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h
Third Party Advisory
blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20359