CVE-2025-20333 – This critical vulnerability in Cisco ASA and FT... (How to Fix)

Q: What is the severity of CVE-2025-20333?

CVE-2025-20333 has a CVSS score of 9.9 (CRITICAL). This critical vulnerability in Cisco ASA and FTD VPN web servers allows authenticated remote attackers to execute arbitrary code as root. Attackers with valid VPN credentials can exploit improper input validation in HTTP(S) requests to completely compromise affected devices. Organizations using vulnerable Cisco firewall appliances are affected.

📋 TL;DR

This critical vulnerability in Cisco ASA and FTD VPN web servers allows authenticated remote attackers to execute arbitrary code as root. Attackers with valid VPN credentials can exploit improper input validation in HTTP(S) requests to completely compromise affected devices. Organizations using vulnerable Cisco firewall appliances are affected.

💻 Affected Systems

Products:

Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
Cisco Secure Firewall Threat Defense (FTD) Software

Versions: Multiple versions - check Cisco advisory for specific affected releases

Operating Systems: Cisco ASA/FTD OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires VPN web server to be enabled and accessible. Devices configured with AnyConnect or clientless VPN are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise with root-level arbitrary code execution, allowing attackers to pivot to internal networks, steal sensitive data, and disrupt operations.

🟠

Likely Case

Attackers with stolen or compromised VPN credentials gain full control of firewall devices, enabling network persistence and lateral movement.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to the firewall device itself, though still requiring immediate remediation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid VPN user credentials. CISA has added this to Known Exploited Vulnerabilities catalog indicating active exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple fixed versions available - refer to Cisco advisory for specific releases

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

Restart Required: Yes

Instructions:

1. Review Cisco advisory for specific fixed versions. 2. Download appropriate software from Cisco Software Center. 3. Backup configuration. 4. Apply update following Cisco upgrade procedures. 5. Verify successful update and functionality.

🔧 Temporary Workarounds

Disable VPN Web Server

all

Temporarily disable the vulnerable VPN web server functionality if not required

no webvpn
no enable outside

Restrict VPN Access

all

Limit VPN access to trusted IP ranges and implement multi-factor authentication

access-list VPN-ACL permit ip <trusted-networks> any
aaa authentication login VPN-AUTH group <radius-group> local

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable devices
Enable comprehensive logging and monitoring for suspicious VPN activity

🔍 How to Verify

Check if Vulnerable:

Check ASA/FTD version with 'show version' and compare against Cisco advisory affected versions list

Check Version:

show version | include Version

Verify Fix Applied:

Verify version after update with 'show version' and confirm it matches fixed releases in advisory

📡 Detection & Monitoring

Log Indicators:

Unusual VPN authentication patterns
Multiple failed login attempts followed by success
HTTP requests with unusual parameters to VPN endpoints

Network Indicators:

Anomalous outbound connections from firewall devices
Unexpected traffic patterns from VPN IP ranges

SIEM Query:

source="cisco-asa" (event_id=722051 OR event_id=722056) AND (url="*webvpn*" OR url="*/+CSCOE+/*")

📊 Metadata

CVE ID: CVE-2025-20333

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-120

EPSS Score: 18.66% exploit probability (95.1th percentile)

CISA KEV: Actively Exploited added Sep 25, 2025

Published: September 25, 2025

Last Updated: October 28, 2025

🔗 References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB Vendor Advisory
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20333 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-20333, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

Firepower Threat Defense by Cisco

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable VPN Web Server

Restrict VPN Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities