CVE-2025-20333
Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability - [Actively Exploited]
Description
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device.
INFO
Published Date :
Sept. 25, 2025, 4:15 p.m.
Last Modified :
Oct. 28, 2025, 1:58 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362.
The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor’s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
CISA Mitigation Instructions: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices ; https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions ; https://www.cisa.gov/eviction-strategies-tool/create-from-template ; https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks ; https://sec.cloudapps.cisco.com/security/center/private/resources/asa_ftd_continued_attacks#Details ; https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB ; https://nvd.nist.gov/vuln/detail/CVE-2025-20333
Affected Products
The following products are affected by CVE-2025-20333
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Update Cisco Secure Firewall ASA Software.
- Update Cisco Secure Firewall FTD Software.
- Apply vendor-provided security patches.
- Restrict access to VPN web server.
Public PoC/Exploit Available at Github
CVE-2025-20333 has a 7 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-20333.
| URL | Resource |
|---|---|
| https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB | Vendor Advisory |
| https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks | Vendor Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20333 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-20333 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-20333
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Your single pane of glass for threat intel: a clean, public feed that highlights high‑value security updates and trends.
Python JavaScript CSS HTML
None
A diagnostic security platform that demonstrates the critical importance of timely security updates
HTML
None
Zero Day SIgma rules
None
None
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-20333 vulnerability anywhere in the article.
-
The Hacker News
CISA Flags Critical WatchGuard Fireware Flaw Exposing 54,000 Fireboxes to No-Login Attacks
Nov 13, 2025Ravie LakshmananVulnerability / Network Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting WatchGuard Firewar ... Read more
-
CybersecurityNews
CISA Warns of Federal Agencies Not Fully Patching Actively Exploited Cisco ASA or Firepower Devices
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding federal agencies. Failing to properly patch Cisco Adaptive Security Appliances (ASA) and Firepower Thr ... Read more
-
The Hacker News
Amazon Uncovers Attacks Exploited Cisco ISE and Citrix NetScaler as Zero-Day Flaws
Nov 12, 2025Ravie LakshmananNetwork Security / Zero-Day Amazon's threat intelligence team on Wednesday disclosed that it observed an advanced threat actor exploiting two then-zero-day security flaws ... Read more
-
The Hacker News
Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature
Nov 10, 2025Ravie LakshmananVulnerability / Incident Response Google's Mandiant Threat Defense on Monday said it discovered n-day exploitation of a now-patched security flaw in Gladinet's Triofox fi ... Read more
-
security.nl
Kritieke kwetsbaarheid in Cisco-firewalls nu ook gebruikt voor dos-aanvallen
Een kritieke kwetsbaarheid in de software van Cisco wordt nu ook actief gebruikt voor het uitvoeren van dos-aanvallen tegen firewalls, zo laat de netwerkfabrikant weten. Eerder werd het beveiligingsle ... Read more
-
BleepingComputer
Cisco: Actively exploited firewall flaws now abused for DoS attacks
Cisco warned this week that two vulnerabilities, which have been used in zero-day attacks, are now being exploited to force ASA and FTD firewalls into reboot loops. The tech giant released security up ... Read more
-
The Register
Cisco warns of 'new attack variant' battering firewalls under exploit for 6 months
Cisco warned customers about another wave of attacks against its firewalls, which have been battered by intruders for at least six months. It also patched two critical bugs in its Unified Contact Cent ... Read more
-
The Hacker News
Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362
Nov 06, 2025Ravie LakshmananZero-Day / Vulnerability Cisco on Wednesday disclosed that it became aware of a new attack variant that's designed to target devices running Cisco Secure Firewall Adaptiv ... Read more
-
BleepingComputer
Critical Cisco UCCX flaw lets attackers run commands as root
Cisco has released security updates to patch a critical vulnerability in the Unified Contact Center Express (UCCX) software, which could enable attackers to execute commands with root privileges. The ... Read more
-
CybersecurityNews
Cisco Warns of Hackers Actively Exploiting ASA and FTD 0-day RCE Vulnerability in the Wild
Cisco has confirmed that threat actors are actively exploiting a critical remote code execution (RCE) flaw in its Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) software. F ... Read more
-
CybersecurityNews
Senate Investigates Cisco Over Zero-Day Firewall Vulnerabilities
U.S. Senator Bill Cassidy, Chairman of the Senate Health, Education, Labor, and Pensions (HELP) Committee, has demanded answers from Cisco Systems regarding recent zero-day vulnerabilities in its wide ... Read more
-
The Register
Senator presses Cisco over firewall flaws that burned US agency
US Senator Bill Cassidy has fired off a pointed letter to Cisco over the firewall flaws that allegedly let hackers breach "at least one federal agency." Cassidy's letter [PDF] to Cisco CEO Chuck Robbi ... Read more
-
security.nl
Amerikaanse senator wil meer informatie van Cisco over aangevallen lekken
De Amerikaanse senator Bill Cassidy wil dat Cisco meer informatie geeft over twee aangevallen kwetsbaarheden, zo blijkt uit een open brief aan Cisco-topman Chuck Robbins. Aanleiding voor het verzoek i ... Read more
-
Daily CyberSecurity
Stealth C2: Hackers Abuse Discord Webhooks for Covert Data Exfiltration in npm, PyPI, and RubyGems Supply Chain Attacks
The Socket Threat Research Team has uncovered a growing trend among malicious package developers: leveraging Discord webhooks as command-and-control (C2) endpoints to exfiltrate sensitive data from de ... Read more
-
Daily CyberSecurity
iPhone Fold Hinge Costs Drop to $70-$80, Boosting Viability for Mass Production in 2026
The long-rumored foldable iPhone — tentatively referred to as the iPhone Fold — has yet to be officially announced, but numerous reports have already surfaced detailing its production logistics and co ... Read more
-
Daily CyberSecurity
Next-Gen AirPods: Apple Developing H3 Chip and Camera-Equipped Pro Model for Vision Pro Integration
With the official launch of AirPods Pro 3 last month, the market had widely anticipated that Apple would debut a next-generation audio chip in this model. Instead, the company opted to retain the H2 c ... Read more
-
Daily CyberSecurity
Oracle Warns of Unauthenticated Vulnerability in E-Business Suite (CVE-2025-61884)
Oracle has issued an emergency Security Alert Advisory for a newly discovered vulnerability affecting Oracle E-Business Suite, tracked as CVE-2025-61884. The flaw, which carries a critical remote expl ... Read more
-
Daily CyberSecurity
Pro-Russian Hacktivist Group TwoNet Exposed for Fabricating Critical Infrastructure Attacks to Boost Reputation
Forescout Research has uncovered a disturbing new tactic among pro-Russian hacktivists — fabricating real-world critical infrastructure attacks to inflate their reputation. In a recent case, a newly f ... Read more
-
Daily CyberSecurity
Critical Cherry Studio Flaw CVE-2025-61929 (CVSS 9.7) Allows One-Click RCE via Custom URL Protocol
A critical security flaw has been discovered in Cherry Studio, a cross-platform desktop client that supports multiple large language model (LLM) providers. Tracked as CVE-2025-61929 and rated CVSS 9.7 ... Read more
-
Daily CyberSecurity
Critical Auth Bypass (CVE-2025-61928) in Better Auth Allows Hackers to Steal User API Keys
A critical authentication bypass vulnerability has been discovered in Better Auth, a popular framework-agnostic authentication and authorization library for TypeScript, used by developers to add secur ... Read more
The following table lists the changes that have been made to the
CVE-2025-20333 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Oct. 28, 2025
Action Type Old Value New Value Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20333 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20333 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Removed Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20333 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 21, 2025
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20333 -
Initial Analysis by [email protected]
Sep. 26, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* versions from (including) 9.12 up to (excluding) 9.12.4.72 *cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* versions from (including) 9.14 up to (excluding) 9.14.4.28 *cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* versions from (including) 9.16 up to (excluding) 9.16.4.85 *cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* versions from (including) 9.17.0 up to (excluding) 9.17.1.45 *cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* versions from (including) 9.18 up to (excluding) 9.18.4.47 *cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* versions from (including) 9.19 up to (excluding) 9.19.1.37 *cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* versions from (including) 9.20 up to (excluding) 9.20.3.7 *cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:* versions from (including) 9.22 up to (excluding) 9.22.1.3 Added CPE Configuration OR *cpe:2.3:a:cisco:firepower_threat_defense:7.6.0:*:*:*:*:*:*:* *cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:* versions from (including) 7.0.0 up to (excluding) 7.0.8.1 *cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:* versions from (including) 7.1.0 up to (excluding) 7.2.9 *cpe:2.3:a:cisco:firepower_threat_defense:*:*:*:*:*:*:*:* versions from (including) 7.3.0 up to (excluding) 7.4.2.4 Added Reference Type Cisco Systems, Inc.: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB Types: Vendor Advisory Added Reference Type CISA-ADP: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks Types: Vendor Advisory -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Sep. 26, 2025
Action Type Old Value New Value Added Date Added 2025-09-25 Added Due Date 2025-09-26 Added Vulnerability Name Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability Added Required Action The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor’s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Sep. 25, 2025
Action Type Old Value New Value Added Reference https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks -
New CVE Received by [email protected]
Sep. 25, 2025
Action Type Old Value New Value Added Description A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device. Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-120 Added Reference https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB