Cisco has released advisories for a zero-day exploit chain affecting its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software, which is reportedly being used in highly targeted attacks by an unknown threat actor.
According to Rapid7, the exploit chain combines two vulnerabilities, CVE-2025-20362 and CVE-2025-20333, to achieve unauthenticated remote code execution (RCE) on vulnerable devices.
A third vulnerability, CVE-2025-20363, was also patched, but evidence suggests only the first two are actively used in the attack chain.
The core of the issue lies within the clientless VPN (WebVPN) feature, allowing an attacker to bypass authentication and then trigger a memory corruption flaw.
The Two-Stage Exploit Chain
The attack begins with CVE-2025-20362, an authentication bypass vulnerability caused by a path traversal flaw. This vulnerability allows an unauthenticated, remote attacker to access restricted URL endpoints that should normally require authentication.
The flaw is a variant of a previously discovered vulnerability, CVE-2018-0296. Attackers can exploit this by sending a specially crafted HTTP request, such as CSCOU...CSCOE, to the device’s web server.
This bypasses security checks and grants access to authenticated endpoints, setting the stage for the second part of the attack. A successful bypass can be identified if the server responds with “CSRF token mismatch” or “Failed to upload file”.
Once authentication is bypassed, the attacker leverages CVE-2025-20333, a buffer overflow vulnerability within the WebVPN feature’s file upload handling process.
This flaw, classified as CWE-120 (Buffer Copy without Checking Size of Input), is located in a Lua script that processes file uploads. Specifically, the script fails to validate the size of the “boundary” value in an HTTP request.
By sending a request with a boundary string larger than the allocated 8192-byte buffer, an attacker can overflow it by calling the HTTPCONTENTTOBUFFER function with a length greater than the buffer’s capacity.
This memory corruption can be triggered via the CSCOEfilesfileaction.html endpoint, which becomes accessible due to the initial authentication bypass, according to Rapid7 analysis.
Mitigations
The successful chaining of these two vulnerabilities results in unauthenticated RCE, giving an attacker complete control over an affected Cisco firewall.
The exploit is non-trivial but has been confirmed to be active in the wild, leading to system crashes and reboots on vulnerable devices. The vulnerability is due to improper validation of user-supplied input in HTTP(S) requests.
Both Cisco ASA and FTD software are affected when the clientless VPN (WebVPN) portal is enabled. Cisco has released patched software versions, including ASAv version 9.16.4.85, to address these critical vulnerabilities.
Administrators are strongly urged to update their systems immediately to prevent potential exploitation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
