Latest Cisco firewall vulnerabilities #
Cisco has disclosed three vulnerabilities on certain versions of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) software. There is evidence that these vulnerabilities (CVE-2025-20333, CVE-2025-20362) are being actively exploited in the wild.
- A vulnerability in the VPN web server of Cisco ASA and Cisco FTD software could allow an authenticated, remote adversary to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An adversary with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the adversary to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device. This vulnerability has been designated CVE-2025-20333 and has been rated critical with a CVSS score of 9.9.
- A vulnerability in the web services of Cisco ASA, Cisco FTD, Cisco IOS, Cisco IOS XE, and Cisco IOS XR software could allow an unauthenticated, remote adversary (Cisco ASA and FTD) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An adversary could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the adversary to execute arbitrary code as root, which may lead to the complete compromise of the affected device. This vulnerability has been designated CVE-2025-20363 and has been rated critical with a CVSS score of 9.0.
- A vulnerability in the VPN web server of Cisco ASA and Cisco FTD software could allow an unauthenticated, remote adversary to access restricted URL endpoints without authentication that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An adversary could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the adversary to access a restricted URL without authentication. This vulnerability has been designated CVE-2025-20362 and has been rated medium with a CVSS score of 6.5.
The following versions are affected
- See the Cisco Event Response: Continued Attacks Against Cisco Firewalls page and the associated advisories (cisco-sa-asaftd-webvpn-z5xP8EUB, cisco-sa-http-code-exec-WmfP3h3O, cisco-sa-asaftd-webvpn-YROOTUW) for a complete list.
What is the impact? #
Successful exploitation of the vulnerability would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- Consult the Cisco Event Response: Continued Attacks Against Cisco Firewalls page and the associated advisories (cisco-sa-asaftd-webvpn-z5xP8EUB, cisco-sa-http-code-exec-WmfP3h3O, cisco-sa-asaftd-webvpn-YROOTUW). Use the Cisco Software Checker tool to identify the appropriate patched software release and upgrade to that version.
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate potentially impacted assets:
(os:="Cisco Adaptive Security Appliance" OR hw:="Cisco ASA%") AND (protocol:http OR protocol:tls)
