Search
On this page ▾
CVE-2024-20353 — Cisco ASA and FTD Denial of Service Vulnerability

CVE-2024-20353

Cisco ASA/FTD — Zero-Day Infinite Loop in WebVPN/Management Interface; ArcaneDoor Campaign by China-Nexus UAT4356
⚠️ CVSS 3.1  8.6 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What are Cisco ASA and FTD?

Cisco Adaptive Security Appliance (ASA) is Cisco's flagship enterprise firewall and VPN concentrator platform, deployed at network perimeters across enterprises, government agencies, and critical infrastructure worldwide. Firepower Threat Defense (FTD) is the next-generation firewall software that runs on Cisco Firepower hardware. Both platforms handle all inbound and outbound network traffic and provide VPN termination — making them a critical chokepoint whose compromise gives an attacker a position to intercept, redirect, or manipulate all network communications passing through it.

Overview

CVE-2024-20353 is a zero-day infinite loop vulnerability in the management and VPN web servers of Cisco ASA and FTD that allows an unauthenticated remote attacker to cause a device reload (denial of service). It was exploited as part of ArcaneDoor — a sophisticated espionage campaign attributed by Cisco Talos to a China-nexus threat actor designated UAT4356 (also known as Velvet Ant). ArcaneDoor targeted government network perimeters globally using two zero-days simultaneously: CVE-2024-20353 ("Line Dancer") for persistence mechanism delivery and CVE-2024-20359 for privilege escalation and persistence. Cisco and CISA simultaneously disclosed both as zero-days on April 24, 2024.

Affected Versions

Product Status
Cisco ASA (all versions) Patched — see Cisco advisory cisco-sa-asaftd-websrvs-dos-X8gNucD2
Cisco FTD (all versions) Patched — see Cisco advisory

Refer to Cisco's advisory for version-specific fixed releases.

Technical Details

CWE-835 (Loop with Unreachable Exit Condition — Infinite Loop). The ASA and FTD web server components that handle VPN and management HTTPS requests contain a code path that enters an infinite loop when processing a specially crafted HTTP header or request. The loop prevents the process from handling additional requests or completing normally, ultimately causing the device to reload. Because the vulnerability is in a network-facing service and requires no authentication (PR:N), any unauthenticated actor can trigger the loop remotely.

In the ArcaneDoor campaign, UAT4356 used CVE-2024-20353 as a component of a multi-stage attack chain: the denial-of-service condition forced device restarts that created windows for the attackers to load malicious implants, and the companion CVE-2024-20359 allowed those implants to persist across reboots by abusing a legacy VPN client pre-load mechanism.

Discovery

Discovered by Cisco's Product Security Incident Response Team (PSIRT) during investigation of a customer incident. Cisco Talos attributed ArcaneDoor to UAT4356, a China-nexus threat actor with prior history of targeting network edge devices (routers, firewalls, VPN appliances) for long-term espionage. Cisco noted that perimeter network devices are increasingly targeted because they sit outside traditional EDR coverage and provide long-term, persistent network access.

Exploitation Context

ArcaneDoor represents a shift in Chinese APT tradecraft toward targeting network edge infrastructure rather than endpoint systems — a category of device that typically lacks EDR, antivirus, and forensic tooling. By compromising ASA/FTD devices at the perimeter, UAT4356 gained the ability to: intercept encrypted traffic, pivot into victim networks without triggering endpoint alerts, and maintain persistent access through reboots. The campaign targeted government networks across multiple countries, consistent with state-sponsored espionage objectives.

Remediation

  1. Apply the patches from Cisco Security Advisory cisco-sa-asaftd-websrvs-dos-X8gNucD2 immediately.
  2. Also apply CVE-2024-20359 patches from the companion advisory — both vulnerabilities were used together in ArcaneDoor.
  3. Review ASA/FTD device logs for indicators of ArcaneDoor activity: unexpected reloads, connections from unusual IPs, and the presence of unfamiliar pre-shared key configurations.
  4. Restrict access to ASA/FTD management interfaces to dedicated management network segments — the management interface should not be internet-facing.
  5. Enable Cisco's recommended logging levels on ASA/FTD to support forensic analysis; off-box syslog is critical since on-box logs can be cleared by a compromised device.
  6. Consult Cisco Talos's ArcaneDoor blog post for full indicators of compromise (IOCs) and detection guidance.

Key Details

PropertyValue
CVE ID CVE-2024-20353
Vendor / Product Cisco — Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)
NVD Published2024-04-24
NVD Last Modified2025-10-28
CVSS 3.1 Score8.6
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
SeverityHIGH
CWE CWE-835 find similar ↗
CISA KEV Added2024-04-24
CISA KEV Deadline2024-05-01
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2024-05-01. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-04-24Cisco and CISA simultaneously disclose CVE-2024-20353 and CVE-2024-20359 as zero-days exploited in the ArcaneDoor campaign by UAT4356
2024-05-01CISA BOD 22-01 remediation deadline

References

ResourceType
Cisco Security Advisory — cisco-sa-asaftd-websrvs-dos-X8gNucD2 Vendor Advisory
Cisco Talos — ArcaneDoor: New Espionage Campaign Targeting Perimeter Network Devices Security Research
NVD — CVE-2024-20353 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-20

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML