Cisco has recently disclosed a series of critical zero-day vulnerabilities affecting its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software. These vulnerabilities are actively being exploited in highly targeted attacks by unidentified threat actors. The exploit chain primarily involves two vulnerabilities: CVE-2025-20362 and CVE-2025-20333, which, when combined, allow unauthenticated remote code execution (RCE) on vulnerable devices.
Understanding the Exploit Chain
The attack sequence begins with CVE-2025-20362, an authentication bypass vulnerability resulting from a path traversal flaw. This flaw enables an unauthenticated, remote attacker to access restricted URL endpoints that typically require authentication. By sending a specially crafted HTTP request, such as `CSCOU…CSCOE`, to the device’s web server, attackers can circumvent security checks and gain access to authenticated endpoints. Indicators of a successful bypass include server responses like CSRF token mismatch or Failed to upload file.
Following the authentication bypass, the attacker exploits CVE-2025-20333, a buffer overflow vulnerability within the WebVPN feature’s file upload handling process. This flaw, classified as CWE-120 (Buffer Copy without Checking Size of Input), resides in a Lua script responsible for processing file uploads. The script fails to validate the size of the boundary value in an HTTP request. By sending a request with a boundary string exceeding the allocated 8192-byte buffer, an attacker can overflow it by invoking the `HTTPCONTENTTOBUFFER` function with a length surpassing the buffer’s capacity. This memory corruption can be triggered via the `CSCOEfilesfileaction.html` endpoint, which becomes accessible due to the initial authentication bypass.
Implications and Risks
The successful chaining of these two vulnerabilities results in unauthenticated RCE, granting an attacker complete control over an affected Cisco firewall. This exploit has been observed in the wild, leading to system crashes and reboots on vulnerable devices. The vulnerabilities stem from improper validation of user-supplied input in HTTP(S) requests. Both Cisco ASA and FTD software are affected when the clientless VPN (WebVPN) portal is enabled.
Mitigation Measures
Cisco has released patched software versions, including ASAv version 9.16.4.85, to address these critical vulnerabilities. Administrators are strongly urged to update their systems immediately to prevent potential exploitation. Given the active exploitation of these vulnerabilities, prompt action is essential to safeguard network infrastructure.
Additional Context
In a related development, the Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive mandating immediate action to mitigate these vulnerabilities. CISA links this campaign to the ArcaneDoor activity first identified in early 2024, during which adversaries demonstrated the capability to manipulate ASA ROM as early as 2024. By exploiting zero-days in ASA hardware, ASA-Service Module (ASA-SM), ASA Virtual (ASAv), and ASA firmware on Firepower 2100/4100/9300 devices, attackers achieve unauthenticated remote code execution. Although Secure Boot on Firepower Threat Defense (FTD) appliances detects ROM manipulation, ASAs lack this protection, making them prime targets.
CISA emphasizes that failure to remediate poses an unacceptable risk to federal information systems and critical infrastructure. Agencies are required to perform core dump and hunt instructions, submit core dumps via the Malware Next Gen portal, and apply Cisco-provided software updates by specified deadlines. These measures apply to all federal information systems, including those hosted by third-party providers.
Conclusion
The discovery and active exploitation of these zero-day vulnerabilities underscore the critical importance of timely software updates and vigilant network monitoring. Organizations utilizing Cisco ASA and FTD software must prioritize patching their systems and reviewing their security configurations to mitigate potential threats. Staying informed through official advisories and collaborating with cybersecurity agencies can further enhance an organization’s defense against such sophisticated attacks.
