Cisco has issued an urgent security advisory regarding a critical zero-day vulnerability, identified as CVE-2025-20333, in its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software platforms. This flaw carries a CVSS score of 9.9, indicating its severity, and is currently being actively exploited by attackers.
Vulnerability Overview
The vulnerability resides in the VPN web server component of both ASA and FTD software, specifically affecting devices with remote access VPN configurations enabled. It stems from improper validation of user-supplied input within HTTP(S) requests processed by the VPN web server, leading to a buffer overflow condition. This flaw allows authenticated remote attackers with valid VPN credentials to execute arbitrary code with root privileges on affected devices.
Affected Configurations
Devices running ASA or FTD software with the following VPN features enabled are vulnerable:
– AnyConnect IKEv2 Remote Access with client services
– SSL VPN services
– Mobile User Security (MUS) implementations
The vulnerability specifically targets SSL listen sockets enabled by these configurations.
Exploitation Details
To exploit this vulnerability, attackers must first obtain valid VPN user credentials. Once authenticated, they can send specially crafted HTTP requests to the targeted device’s VPN web server, triggering the buffer overflow and executing arbitrary code with root-level privileges. This access could allow threat actors to install persistent backdoors, exfiltrate sensitive network traffic, or pivot to internal network segments.
Discovery and Response
The discovery and investigation of this vulnerability involved collaboration between multiple international cybersecurity agencies, including the Australian Signals Directorate, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the UK National Cyber Security Centre (NCSC), and the U.S. Cybersecurity & Infrastructure Security Agency (CISA). This coordinated response suggests involvement by sophisticated threat actors, likely nation-state or advanced persistent threat (APT) groups targeting critical infrastructure.
Additional Vulnerability: CVE-2025-20362
In addition to CVE-2025-20333, Cisco has identified another vulnerability, CVE-2025-20362, in the VPN web server of ASA and FTD software. This medium-severity flaw, with a CVSS score of 6.5, allows unauthenticated remote attackers to bypass authentication and access restricted URL endpoints. The issue arises from improper validation of user-supplied input in HTTP(S) requests, enabling attackers to retrieve or interact with sensitive resources without valid VPN credentials.
Mitigation Measures
Cisco emphasizes that no workarounds exist for these vulnerabilities, making immediate software updates the only viable remediation strategy. Organizations are urged to prioritize patching all affected ASA and FTD devices using Cisco’s Software Checker tool to identify the appropriate fixed software versions.
Recommendations for Organizations
1. Immediate Patching: Apply the latest software updates provided by Cisco to address these vulnerabilities.
2. Credential Security: Ensure robust management of VPN credentials, including the implementation of multi-factor authentication (MFA) to reduce the risk of unauthorized access.
3. Network Monitoring: Implement continuous monitoring of network traffic for signs of exploitation or unauthorized access attempts.
4. Access Controls: Review and restrict VPN access to only necessary users and devices to minimize potential attack vectors.
5. Incident Response Planning: Develop and regularly update incident response plans to quickly address potential breaches resulting from these vulnerabilities.
Conclusion
The active exploitation of CVE-2025-20333 and CVE-2025-20362 underscores the critical need for organizations to promptly address these vulnerabilities in Cisco ASA and FTD software. By implementing the recommended mitigation measures, organizations can enhance their security posture and protect their networks from potential compromise.
