Cisco has issued a critical warning about ongoing attacks targeting a severe remote code execution vulnerability affecting its Secure Firewall, Adaptive Security Appliance, and Threat Defense Software.
The company updated its security advisory on November 5, 2025, revealing that threat actors have discovered a new attack variant capable of fully compromising devices on unpatched systems.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-20333 |
| Vulnerability Type | Buffer Overflow (CWE-120) |
| Affected Products | Cisco Secure Firewall ASA Software, Cisco Secure Firewall FTD Software |
| Cisco Bug ID | CSCwq79831 |
| CVSS v3.1 Score | 9.9 (Critical) |
The vulnerability, tracked as CVE-2025-20333, affects the VPN web server component in both Cisco Secure ASA and Secure FTD firewall platforms.
An authenticated remote attacker can exploit improper input validation in HTTP requests to execute arbitrary code with root privileges on affected devices.
This represents a significant risk for organizations relying on these firewalls for network perimeter defense, as successful exploitation could allow attackers to bypass all security controls.
Exploitation Details and Impact
Cisco became aware of a new attack variant in early November that specifically targets devices running vulnerable versions of ASA and FTD software.
This variant causes unpatched devices to reload, creating denial-of-service conditions that disrupt network operations unexpectedly.
The vulnerability requires valid VPN user credentials to exploit, meaning attackers must first obtain legitimate authentication details through phishing, credential theft, or insider threats.
Organizations running Cisco Secure Firewall ASA Software or Secure FTD Software with VPN features enabled face immediate risk.
Vulnerable configurations include AnyConnect IKEv2 Remote Access with client services, Mobile User Security implementations, and SSL VPN deployments.
The attack’s ability to achieve complete device compromise makes this particularly concerning, as attackers could modify firewall rules, redirect traffic, or establish persistent backdoors.
Cisco has released fixed software versions and strongly recommends all customers upgrade immediately. No workarounds are available to mitigate this vulnerability, leaving patching as the only viable remediation.
Organizations uncertain about their exposure can use Cisco’s Software Checker tool to verify whether their specific software releases are affected and identify the earliest available fixed versions.
After applying patches, Cisco recommends reviewing VPN threat-detection configurations to enable protections against remote-access VPN login authentication attacks, client-initiated attacks, and invalid VPN service connection attempts.
This additional hardening will provide defense-in-depth against similar attack vectors.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.