Cisco has confirmed that threat actors are actively exploiting a critical remote code execution (RCE) flaw in its Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) software.
First disclosed on September 25, 2025, the vulnerability tracked as CVE-2025-20333 poses a severe risk to organizations relying on these firewalls for VPN access. With a CVSS score of 9.9, it enables authenticated attackers to run arbitrary code with root privileges, potentially leading to full device compromise.
The issue stems from inadequate validation of user-supplied input in the VPN web server’s handling of HTTP(S) requests. An attacker armed with valid VPN credentials can craft malicious requests to trigger the flaw, bypassing normal safeguards and executing code that could exfiltrate data, install malware, or pivot deeper into networks.
Cisco’s advisory, updated November 5, 2025, reveals a new attack variant targeting unpatched systems, causing devices to reload unexpectedly and triggering denial-of-service (DoS) disruptions.
This escalation underscores the urgency, as real-world exploits have already surfaced in the wild, according to Cisco’s Event Response team.
Cisco ASA and FTD 0-day RCE Vulnerability
At its core, CVE-2025-20333 exploits a buffer overflow (CWE-120) in the webvpn component, active when certain remote access features are enabled.
For ASA software, vulnerable setups include AnyConnect IKEv2 with client services, Mobile User Security (MUS), or basic SSL VPN configurations via commands like “webvpn enable
FTD devices face similar risks through IKEv2 remote access or SSL VPN enabled in management interfaces like Cisco Secure Firewall Management Center.
Only devices with enabled SSL listen sockets for these features are exposed; Cisco Secure FMC Software remains unaffected.
Urgent Recommendations and Response
No workarounds exist, leaving upgrades as the sole defense. Cisco urges immediate patching to fixed releases listed in the advisory, such as ASA 9.18.4.19 or FTD 7.4.2.
| Product | Affected Versions (Vulnerable) | Fixed Versions (Patched) |
|---|---|---|
| Cisco Secure Firewall ASA Software | – 9.8.x through 9.16.4.22 – 9.18.1 through 9.18.4.18 – 9.20.1 and earlier | – 9.16.4.23 and later – 9.18.4.19 and later – 9.20.2 and later |
| Cisco Secure Firewall FTD Software | – 6.2.2 through 6.6.7.1 – 6.7.0 through 7.0.5 – 7.2.0 through 7.2.5 – 7.4.0 through 7.4.1.1 | – 6.6.7.2 and later – 7.0.6 and later – 7.2.6 and later – 7.4.2 and later |
Customers should audit configurations using “show running-config” to identify exposures and monitor for anomalous VPN traffic. The company links this to broader attacks on firewall platforms, advising layered defenses like multi-factor authentication and intrusion detection.
As cyber threats evolve, this incident highlights the perils of delayed updates in perimeter security. Organizations delaying action risk cascading breaches in an era of persistent exploitation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
