CVE-2025-20333 and CVE-2025-20362 Details

Cisco disclosed a new active attack variant targeting and exploiting the previously known vulnerabilities in the Cisco Secure Firewall ASA and FTD  software (CVE-2025-20333 and CVE-2025-20362) leading to unpatched devices to reboot/reload unexpectedly creating the conditions needed for a denial of service (DoS) attack.

The critical remote code execution (RCE) vulnerability, CVE-2025-20333, exists in the VPN web server component of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software. This flaw arises when improper validation of user-supplied inputs in HTTP(S) requests is handled by the VPN web service. An authenticated remote attacker (with valid VPN credentials) can send crafted HTTP requests to execute arbitrary code as root, leading to full device compromise and takeover. Cisco confirmed the active exploitation attempts using this new attack variant to trigger unexpected device reloads (DoS) on unpatched ASA/FTD systems, linked to previously observed exploitation of CVE-2025-20362.

While the medium unauthorized access vulnerability, CVE-2025-20362, also found within the VPN web server component is caused by improper validation of user-supplied HTTP(S) input, allowing unauthenticated remote attackers to access restricted VPN-related URLs that should require authentication. When successfully exploited this could enable limited access to protected resources or services**, but not full system compromise.

Both vulnerabilities impact the Cisco Secure Firewall ASA and FTD software with remote access VPN features enabled, including SSL and IKEv2 configurations. However, the Cisco Secure Firewall Management Center (FMC) is not affected.

Cisco urges immediate upgrade to patched versions as no configuration-based mitigation exists.

Use the Cisco Software Checker for “First Fixed” or “Combined First Fixed” releases.

ASA 9.12 → Fixed in 9.12.4.72 (final)

ASA 9.14 → Fixed in 9.14.4.28 (final)

Note: Models 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, and 5585-X are end-of-support; migration to supported hardware is advised.

It is also recommended to Enable Threat Detection for VPN Services (ASA CLI Guide) to identify and block malformed login attempts. With additional monitoring for:
1. Unauthenticated or malformed HTTP(S) requests to /+CSCOE+/ or VPN endpoints

2. Unexpected device reloads, WebVPN restarts, or HTTP parsing errors

3. Unusual VPN login patterns or log anomalies involving webvpn traffic

Resources:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
https://nvd.nist.gov/vuln/detail/cve-2025-20333
https://nvd.nist.gov/vuln/detail/cve-2025-20362

Possible Detection Resources:
https://unit42.paloaltonetworks.com/zero-day-vulnerabilities-affect-cisco-software/
https://www.rapid7.com/blog/post/etr-cve-2025-20333-cve-2025-20362-cve-2025-20363-multiple-critical-vulnerabilities-affecting-cisco-products/
https://attackerkb.com/topics/Szq5u0xgUX/cve-2025-20362/rapid7-analysis
https://www.zscaler.com/blogs/security-research/cisco-firewall-and-vpn-zero-day-attacks-cve-2025-20333-and-cve-2025-20362
https://research.splunk.com/network/7e9a5a2c-2f1a-4b6a-9a4b-9e7d9c8f5a21/
https://research.splunk.com/network/3b8d2b4f-4e1e-4a9e-9b43-8a7a3a9c7e21/
https://research.splunk.com/network/ded9f9d7-edb8-48cf-8b72-1b459eee6785/
https://research.splunk.com/application/4b4f8fdd-1f9e-45d8-9b0f-1f64c0b297a4/
research.splunk.com/network/b71e57e8-c571-4ff1-ae13-bc4384a9e891/
https://research.splunk.com/application/7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201/
https://medium.com/@abdul.myid/sigma-rule-unauthenticated-access-attempts-to-cisco-asa-ftd-webvpn-noise-reduced-f570f89f9403