CVE Alert: CVE-2025-20333 - Cisco - Cisco Adaptive Security Appliance (ASA) Software

CVE-2025-20333

CRITICALExploitation active

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device.

CVSS v3.1 (9.9)

AV NETWORK · AC LOW · PR LOW · UI NONE · S CHANGED

Vendor

Cisco, Cisco

Product

Cisco Adaptive Security Appliance (ASA) Software, Cisco Firepower Threat Defense Software

Versions

9.8.1 | 9.8.1.5 | 9.8.1.7 | 9.8.2 | 9.8.2.8 | 9.8.2.14 | 9.8.2.15 | 9.8.2.17 | 9.8.2.20 | 9.8.2.24 | 9.8.2.26 | 9.8.2.28 | 9.8.2.33 | 9.8.2.35 | 9.8.2.38 | 9.8.3.8 | 9.8.3.11 | 9.8.3.14 | 9.8.3.16 | 9.8.3.18 | 9.8.3.21 | 9.8.3 | 9.8.3.26 | 9.8.3.29 | 9.8.4 | 9.8.4.3 | 9.8.4.7 | 9.8.4.8 | 9.8.4.10 | 9.8.4.12 | 9.8.4.15 | 9.8.4.17 | 9.8.2.45 | 9.8.4.25 | 9.8.4.20 | 9.8.4.22 | 9.8.4.26 | 9.8.4.29 | 9.8.4.32 | 9.8.4.33 | 9.8.4.34 | 9.8.4.35 | 9.8.4.39 | 9.8.4.40 | 9.8.4.41 | 9.8.4.43 | 9.8.4.44 | 9.8.4.45 | 9.8.4.46 | 9.8.4.48 | 9.12.1 | 9.12.1.2 | 9.12.1.3 | 9.12.2 | 9.12.2.4 | 9.12.2.5 | 9.12.2.9 | 9.12.3 | 9.12.3.2 | 9.12.3.7 | 9.12.4 | 9.12.3.12 | 9.12.3.9 | 9.12.2.1 | 9.12.4.2 | 9.12.4.4 | 9.12.4.7 | 9.12.4.10 | 9.12.4.13 | 9.12.4.8 | 9.12.4.18 | 9.12.4.24 | 9.12.4.26 | 9.12.4.29 | 9.12.4.30 | 9.12.4.35 | 9.12.4.37 | 9.12.4.38 | 9.12.4.39 | 9.12.4.40 | 9.12.4.41 | 9.12.4.47 | 9.12.4.48 | 9.12.4.50 | 9.12.4.52 | 9.12.4.54 | 9.12.4.55 | 9.12.4.56 | 9.12.4.58 | 9.12.4.62 | 9.12.4.65 | 9.12.4.67 | 9.14.1 | 9.14.1.10 | 9.14.1.6 | 9.14.1.15 | 9.14.1.19 | 9.14.1.30 | 9.14.2 | 9.14.2.4 | 9.14.2.8 | 9.14.2.13 | 9.14.2.15 | 9.14.3 | 9.14.3.1 | 9.14.3.9 | 9.14.3.11 | 9.14.3.13 | 9.14.3.18 | 9.14.3.15 | 9.14.4 | 9.14.4.6 | 9.14.4.7 | 9.14.4.12 | 9.14.4.13 | 9.14.4.14 | 9.14.4.15 | 9.14.4.17 | 9.14.4.22 | 9.14.4.23 | 9.14.4.24 | 9.16.1 | 9.16.1.28 | 9.16.2 | 9.16.2.3 | 9.16.2.7 | 9.16.2.11 | 9.16.2.13 | 9.16.2.14 | 9.16.3 | 9.16.3.3 | 9.16.3.14 | 9.16.3.15 | 9.16.3.19 | 9.16.3.23 | 9.16.4 | 9.16.4.9 | 9.16.4.14 | 9.16.4.18 | 9.16.4.19 | 9.16.4.27 | 9.16.4.38 | 9.16.4.39 | 9.16.4.42 | 9.16.4.48 | 9.16.4.55 | 9.16.4.57 | 9.16.4.61 | 9.16.4.62 | 9.16.4.67 | 9.16.4.70 | 9.16.4.71 | 9.16.4.76 | 9.16.4.82 | 9.16.4.84 | 9.17.1 | 9.17.1.7 | 9.17.1.9 | 9.17.1.10 | 9.17.1.11 | 9.17.1.13 | 9.17.1.15 | 9.17.1.20 | 9.17.1.30 | 9.17.1.33 | 9.17.1.39 | 9.18.1 | 9.18.1.3 | 9.18.2 | 9.18.2.5 | 9.18.2.7 | 9.18.2.8 | 9.18.3 | 9.18.3.39 | 9.18.3.46 | 9.18.3.53 | 9.18.3.55 | 9.18.3.56 | 9.18.4 | 9.18.4.5 | 9.18.4.8 | 9.18.4.22 | 9.18.4.24 | 9.18.4.29 | 9.18.4.34 | 9.18.4.40 | 9.19.1 | 9.19.1.5 | 9.19.1.9 | 9.19.1.12 | 9.19.1.18 | 9.19.1.22 | 9.19.1.24 | 9.19.1.27 | 9.19.1.28 | 9.19.1.31 | 9.20.1 | 9.20.1.5 | 9.20.2 | 9.20.2.10 | 9.20.2.21 | 9.20.2.22 | 9.20.3 | 9.20.3.4 | 9.22.1.1 | 9.22.1.2 | 6.2.3 | 6.2.3.1 | 6.2.3.2 | 6.2.3.3 | 6.2.3.4 | 6.2.3.5 | 6.2.3.6 | 6.2.3.7 | 6.2.3.8 | 6.2.3.10 | 6.2.3.11 | 6.2.3.9 | 6.2.3.12 | 6.2.3.13 | 6.2.3.14 | 6.2.3.15 | 6.2.3.16 | 6.2.3.17 | 6.2.3.18 | 6.6.0 | 6.6.0.1 | 6.6.1 | 6.6.3 | 6.6.4 | 6.6.5 | 6.6.5.1 | 6.6.5.2 | 6.6.7 | 6.6.7.1 | 6.6.7.2 | 6.4.0 | 6.4.0.1 | 6.4.0.3 | 6.4.0.2 | 6.4.0.4 | 6.4.0.5 | 6.4.0.6 | 6.4.0.7 | 6.4.0.8 | 6.4.0.9 | 6.4.0.10 | 6.4.0.11 | 6.4.0.12 | 6.4.0.13 | 6.4.0.14 | 6.4.0.15 | 6.4.0.16 | 6.4.0.17 | 6.4.0.18 | 7.0.0 | 7.0.0.1 | 7.0.1 | 7.0.1.1 | 7.0.2 | 7.0.2.1 | 7.0.3 | 7.0.4 | 7.0.5 | 7.0.6 | 7.0.6.1 | 7.0.6.2 | 7.0.6.3 | 7.0.7 | 7.0.8 | 7.1.0 | 7.1.0.1 | 7.1.0.2 | 7.1.0.3 | 7.2.0 | 7.2.0.1 | 7.2.1 | 7.2.2 | 7.2.3 | 7.2.4 | 7.2.4.1 | 7.2.5 | 7.2.5.1 | 7.2.6 | 7.2.7 | 7.2.5.2 | 7.2.8 | 7.2.8.1 | 7.3.0 | 7.3.1 | 7.3.1.1 | 7.3.1.2 | 7.4.0 | 7.4.1 | 7.4.1.1 | 7.4.2 | 7.4.2.1 | 7.4.2.2 | 7.4.2.3 | 7.6.0

CWE

CWE-120, Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Published

2025-09-25T16:12:14.308Z

Updated

2025-09-25T17:17:49.300Z

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

AI Summary Analysis

Risk verdict

Critical risk with active exploitation against the VPN web server on Cisco ASA/FTD; urgent remediation required.

Why this matters

Root access on the firewall could enable full compromise of the device, enabling weaponisation of the network perimeter, credential theft, and lateral movement into internal networks. The combination of network access, low-privilege required, and no user interaction makes automated, rapid exploitation feasible in many environments.

Most likely attack path

An attacker with valid VPN credentials can reach the VPN web interface over the network, sending crafted HTTP requests to trigger arbitrary code execution with root privileges. The scope change indicates the exploit can escalate from initial access to complete device compromise, even without user interaction.

Who is most exposed

Organisations exposing Cisco ASA/FTD VPN web portals to the internet—especially those with remote workforces or MSP-based deployments—are most at risk.

Detection ideas

Look for unusual, crafted HTTP(S) requests targeting the VPN web interface (webvpn) and anomalous parameter usage.
Monitor VPN authentication activity for spikes, anomalous sources, or credential-stuffing patterns.
Detect config changes, reboots, or unexpected high-privilege actions following suspicious web requests.
Correlate with Cisco PSIRT advisories and attempted exploitation indicators in security event data.

Mitigation and prioritisation

Apply the fixed software release recommended by Cisco immediately; verify patch placement in test and production.
Enforce MFA for VPN access, restrict access by IP, and minimise exposure of the VPN web interface.
Consider compensating controls: restrict administrative access to management networks, enable strict logging, and implement segmentation around the firewall.
Plan a rapid, coordinated patch window; communicate changes across IT and security teams; validate backups and rollback procedures.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: cisco, cisco-adaptive-security-appliance-asa-software, cisco-firepower-threat-defense-software, CVE, cve-2025-20333, OSINT, threatintel