Warning: Multiple Critical Zero-day RCE Vulnerabilities in Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD), Patch Immediately!

Image
Decorative image
Gepubliceerd : 26/09/2025

 

    * Last update:  26/09/2025
   
    * Affected software:
    • Cisco ASA Software releases prior to 9.12.4.72; 9.14.4.28; 9.16.4.85; All 9.17 Releases; 9.18.4.67; All 9.19 Releases; 9.20.4.10; 9.22.2.14; 9.23.1.19.
    • Cisco FTD Software releases prior to 7.0.8.1; All 7.1 Releases; 7.2.10.2; All 7.3 Releases; 7.4.2.4; 7.6.2.1; 7.7.10.1.
 
    * Type:
    • CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    • CWE-122 Heap-based Buffer Overflow
    • CWE-862 Missing Authorization
 
    * CVE/CVSS
    • CVE-2025-20333: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
    • CVE-2025-20363: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
    • CVE-2025-20362: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

 

Sources

 
Cisco https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
 

Risks

Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) are affected by multiple critical vulnerabilities that may result in complete device compromise and takeover.

These devices are commonly deployed as public-facing edge systems, making them high-value targets for threat actors. Their exposure, combined with their central role in enterprise network security, significantly increases both the likelihood and potential impact of exploitation, particularly in the case of unauthenticated remote code execution vulnerabilities.

The presence of multiple critical flaws also introduces a credible risk that attackers could chain these vulnerabilities to achieve escalated impact.

Exploitation of these issues can severely affect confidentiality, integrity, and availability of affected systems.

Furthermore, there is evidence that some of these vulnerabilities are actively exploited in the wild.

Description

CVE‑2025‑20333 – This vulnerability results from improper validation of user-supplied input in HTTP(S) requests in the VPN web server component of Cisco ASA and FTD. An attacker with valid VPN credentials can exploit this flaw to trigger a buffer overflow (CWE‑120), enabling remote execution of arbitrary code as root and potentially resulting in full compromise of the device.

CVE‑2025‑20363 – This vulnerability arises from insufficient input validation in HTTP requests across Cisco Secure Firewall ASA/FTD and Cisco IOS, IOS XE, and IOS XR web services. An attacker can send specially crafted requests to trigger a heap-based buffer overflow (CWE‑122), allowing arbitrary code execution as root and complete device compromise.

CVE‑2025‑20362 – This flaw exists in the VPN web server of Cisco Secure Firewall ASA and FTD. Improper validation of user-supplied input allows unauthenticated remote attackers to access restricted URL endpoints without proper authentication, potentially exposing sensitive resources and increasing the risk of device compromise.

In affected versions, Cisco appliances suffer from multiple critical flaws, including remote code execution. These vulnerabilities allow attackers to:
• Execute arbitrary code as root on ASA/FTD devices (CVE-2025-20333).
• Access restricted resources without authentication (CVE-2025-20362).
• Exploit web services beyond VPN to gain further control (CVE-2025-20363).
• Potentially compromise confidential configuration, intercept or modify network traffic, degrade service, or pivot laterally into protected internal networks (due to full device compromise).

Recommended Actions

 
Patch  
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
 
Monitor/Detect 

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
 
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
 
 

References

NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-20333
NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-20363
NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-20362