Cisco has issued an urgent warning about active exploitation of a critical vulnerability in its Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) software, urging customers to patch immediately.
The flaw, tracked as CVE-2025-20333, affects the VPN web server and allows authenticated attackers to execute arbitrary code, potentially leading to full device compromise.
First disclosed on September 25, 2025, the advisory was updated on November 5 to highlight a new attack variant causing denial-of-service (DoS) conditions through unexpected device reloads.
With a CVSS score of 9.9, this buffer overflow issue (CWE-120) stems from inadequate validation of user-supplied input in HTTP(S) requests, making it a prime target for threat actors.
Vulnerability Mechanics and Impact
Attackers need valid VPN credentials to exploit the vulnerability by sending crafted HTTP requests to affected devices.
Successful exploitation grants root-level code execution, enabling data theft, lateral movement, or further network breaches.
The recent DoS variant exacerbates risks for unpatched systems, disrupting operations without requiring advanced privileges.
Cisco’s Product Security Incident Response Team (PSIRT) confirmed exploitation attempts, discovered via a Technical Assistance Center support case, with support from global agencies like the U.S. CISA and UK’s NCSC.
No workarounds exist, emphasizing the need for swift upgrades.
Affected Products and Configurations
This vulnerability impacts Cisco Secure Firewall ASA and FTD software running vulnerable releases with enabled SSL VPN features.
Configurations like AnyConnect IKEv2 Remote Access, Mobile User Security, or standard SSL VPN visible via CLI commands such as “webvpn enable <interface>” expose systems.
Cisco Secure Firewall Management Center (FMC) software remains unaffected. Customers should use the Cisco Software Checker tool to verify exposure by entering their release numbers, such as 9.20.3.4 for ASA or 7.4.2 for FTD.
| CVE ID | CVSS 3.1 Score | Affected Products | Description | CWE ID | Bug ID |
|---|---|---|---|---|---|
| CVE-2025-20333 | 9.9 (Critical) | Cisco Secure Firewall ASA Software, Cisco Secure Firewall FTD Software | Improper input validation in VPN web server leading to remote code execution via crafted HTTP requests. Requires authenticated access. | CWE-120 (Buffer Copy without Checking Size) | CSCwq79831 |
Mitigation and Recommendations
Cisco recommends upgrading to fixed releases listed in the advisory, available via the Software Checker for “First Fixed” or “Combined First Fixed” versions addressing multiple issues.
Post-upgrade, enable threat detection for VPN services as outlined in Cisco’s configuration guide to block authentication attacks and invalid connections.
Organizations relying on these firewalls for remote access should prioritize patching, monitor for unusual reloads, and review logs for exploitation indicators.
As attacks evolve, staying vigilant against VPN-targeted threats remains essential in today’s threat landscape.
