Cisco has issued an emergency security advisory warning of active exploitation of a critical zero-day vulnerability in its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software platforms.
The vulnerability, tracked as CVE-2025-20333, carries a maximum CVSS score of 9.9 and enables authenticated remote attackers to execute arbitrary code with root privileges on affected devices.
The vulnerability resides in the VPN web server component of both ASA and FTD software, specifically affecting devices with remote access VPN configurations enabled.
Cisco’s Product Security Incident Response Team (PSIRT) confirmed active exploitation attempts and emphasized the critical nature of this security flaw, which could result in complete device compromise.
Cisco ASA 0-Day RCE Vulnerability
The root cause of CVE-2025-20333 lies in improper validation of user-supplied input within HTTP(S) requests processed by the VPN web server.
This buffer overflow vulnerability (CWE-120) allows authenticated attackers with valid VPN credentials to craft malicious HTTP requests that trigger code execution with elevated privileges.
Vulnerable configurations include devices running ASA or FTD software with specific VPN features enabled, including AnyConnect IKEv2 Remote Access with client services (crypto ikev2 enable
The vulnerability specifically targets SSL listen sockets enabled by these configurations.
The exploitation process requires attackers to first obtain valid VPN user credentials, after which they can send specially crafted HTTP requests to the targeted device’s VPN web server.
Successful exploitation grants root-level access, potentially allowing threat actors to install persistent backdoors, exfiltrate sensitive network traffic, or pivot to internal network segments.
The discovery and investigation of this vulnerability involved unprecedented collaboration between multiple international cybersecurity agencies, including the Australian Signals Directorate, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the UK National Cyber Security Centre (NCSC), and the U.S. Cybersecurity & Infrastructure Security Agency (CISA).
This coordinated response suggests sophisticated threat actor involvement, likely nation-state or advanced persistent threat (APT) groups targeting critical infrastructure.
Unauthorized Access Vulnerability (CVE-2025-20362)
CVE-2025-20362 is an unauthenticated unauthorized access vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software.
Rated Medium severity with a CVSS 3.1 base score of 6.5, this flaw allows remote attackers to bypass authentication and access restricted URL endpoints.
The vulnerability stems from improper validation of user-supplied input in HTTP(S) requests handled by the VPN web server. Specifically, certain URL endpoints that should require authentication fail to enforce access checks.
An attacker crafts a malicious HTTP request targeting these endpoints and can retrieve or interact with sensitive resources without any valid VPN credentials.
| CVE | Title | CVSS 3.1 Score | Severity |
| CVE-2025-20333 | Cisco Secure Firewall ASA/FTD VPN Web Server Remote Code Execution Vulnerability | 9.9 | Critical |
| CVE-2025-20362 | Cisco Secure Firewall ASA/FTD VPN Web Server Unauthorized Access Vulnerability | 6.5 | Medium |
Mitigations
Cisco emphasizes that no workarounds exist for vulnerabilities, making immediate software updates the only viable remediation strategy.
Organizations should prioritize patching all affected ASA and FTD devices using Cisco’s Software Checker tool to identify vulnerable releases and appropriate fixed versions.
The advisory specifically recommends reviewing threat detection configurations for VPN services using the command show running-config to identify vulnerable configurations. Network administrators should implement enhanced monitoring for unusual VPN authentication patterns and HTTP request anomalies targeting SSL VPN endpoints.
Given the active exploitation status and maximum severity rating, security teams should treat this vulnerability as a critical incident requiring emergency patching procedures.
Organizations unable to immediately patch should consider temporarily disabling vulnerable VPN configurations if operationally feasible, though Cisco notes this approach may impact business continuity for remote access requirements.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
Source link
