A critical zero-day vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software is being actively exploited in the wild.
Tracked as CVE-2025-20333, this remote code execution flaw allows an authenticated attacker to execute arbitrary code as root on affected devices.
Cisco published an advisory on September 25, 2025, urging all users to update immediately to a fixed software release. No workaround exists.
| CVE ID | Severity | CVSS 3.1 Score | CWE |
| CVE-2025-20333 | Critical | 9.9 | CWE-120 |
| CVE-2025-20362 | Medium | 6.5 | CWE-862 |
Cisco identified the issue in the VPN web server component of ASA and FTD software. The flaw results from improper validation of user-supplied input in HTTP(S) requests.
An attacker with valid VPN credentials can send specially crafted requests to the VPN web portal and trigger code execution. Successful exploitation grants root privileges, leading to full system compromise.
In addition to the critical RCE, Cisco also reported a medium-severity flaw, CVE-2025-20362. This issue permits unauthenticated attackers to access restricted URL endpoints without proper access checks.
While this does not directly lead to code execution, it undermines access controls and could serve as a stepping stone for further attacks.
Cisco’s advisory (cisco-sa-asaftd-webvpn-z5xP8EUB) includes detailed information and links to software updates.
The advisory ID is cisco-sa-asaftd-webvpn-z5xP8EUB, and the Cisco Bug ID is CSCwq79831. Both vulnerabilities share similar root causes in input validation for HTTP(S) services.
Affected devices include any ASA or FTD system running a vulnerable release with webvpn or AnyConnect IKEv2 remote access enabled.
Specific configurations that open SSL listen sockets, such as crypto ikev2 enable
Cisco Secure Firewall Management Center (FMC) and Device Manager (FDM) configurations that enable remote access VPN also expose FTD devices.
Cisco has confirmed that Secure FMC Software is not affected. Customers should use the Cisco Software Checker to identify affected versions and determine the first fixed release.
Upgrade guidance and fixed release numbers are available in the advisory’s Fixed Software section.
Cisco strongly recommends that customers upgrade to the fixed software release as soon as possible. There are no workarounds that fully mitigate these vulnerabilities.
After updating, review threat detection settings for VPN services to guard against brute-force login attempts, client initiation attacks, and invalid service connections.
Detailed instructions appear in the Cisco Secure Firewall ASA CLI Configuration Guide under “Configure Threat Detection for VPN Services.”
The Cisco PSIRT is tracking active exploitation attempts of CVE-2025-20333 and encourages rapid patching.
This vulnerability was discovered during a Cisco TAC support case and is being used in the wild.
Security teams should prioritize patching ASA and FTD devices to prevent potential full-system takeover.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
