A critical zero-day vulnerability, identified as CVE-2025-20333, has been discovered in Cisco’s Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software. This flaw is currently being actively exploited by malicious actors, posing a significant threat to organizations worldwide.
Overview of the Vulnerability
CVE-2025-20333 is a buffer overflow vulnerability with a CVSS score of 9.9, indicating its high severity. The flaw resides in the VPN web server component of Cisco’s ASA and FTD software, which is widely used to facilitate secure remote access for enterprises. Exploitation of this vulnerability allows authenticated remote attackers to execute arbitrary code with root privileges, effectively granting them full control over the affected devices.
Scope of the Threat
According to data from The Shadowserver Foundation, as of September 29, 2025, over 48,800 unpatched IP addresses have been identified, with the United States being the most affected region. This widespread exposure underscores the urgency for organizations to address this security flaw promptly.
Technical Details
The vulnerability stems from improper validation of user-supplied input in HTTP(S) requests processed by the VPN web server. By sending specially crafted HTTP requests, attackers can exploit this flaw to overflow memory buffers, leading to the execution of malicious code. To exploit this vulnerability, attackers require valid VPN user credentials, which can be obtained through methods such as credential stuffing, phishing campaigns, or exploiting weak authentication mechanisms.
Affected Configurations
Devices running vulnerable versions of ASA or FTD software with specific configurations are at risk. These configurations include:
– AnyConnect IKEv2 Remote Access with client services enabled
– Mobile User Security (MUS) implementations
– SSL VPN deployments
These features are commonly utilized in enterprise environments to support secure remote access for employees.
Secondary Vulnerability: CVE-2025-20362
In addition to CVE-2025-20333, a secondary vulnerability, CVE-2025-20362, has been identified. This flaw has a CVSS score of 6.5 and allows unauthenticated attackers to access restricted VPN endpoints that should require authentication. While less severe, this vulnerability can serve as a reconnaissance tool for attackers planning more sophisticated attacks.
Cisco’s Response and Recommendations
Cisco has released emergency security updates to address both vulnerabilities and strongly recommends that organizations apply these patches immediately. Given the active exploitation and the critical nature of the affected systems, prompt action is essential.
The company also advises organizations to review their threat detection configurations for VPN services to enhance protection against authentication attacks and unauthorized connection attempts.
Broader Implications
The exploitation of these vulnerabilities has prompted responses from various cybersecurity agencies. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive mandating immediate action to mitigate these threats. The directive requires federal agencies to inventory their Cisco devices, conduct forensic analysis, disconnect compromised hardware, and apply the necessary updates by October 2, 2025. These vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities catalog, mandating all agencies to patch or discontinue use of the affected systems by October 16, 2025.
The attacks have been attributed to a suspected state-sponsored group known as ArcaneDoor (also referred to as Storm-1849 by Microsoft), which has been linked to similar activities since early 2024. This group has demonstrated the capability to manipulate ASA ROM as early as 2024, achieving unauthenticated remote code execution by exploiting zero-day vulnerabilities in ASA hardware.
Conclusion
The discovery and active exploitation of CVE-2025-20333 and CVE-2025-20362 highlight the critical importance of timely vulnerability management and patching in maintaining organizational cybersecurity. Organizations using Cisco’s ASA and FTD products should prioritize applying the provided security updates and review their security configurations to mitigate potential risks.
