Critical Cisco Flaw Allows Remote Code Execution on Firewalls and Routers

Cisco has published a Critical security advisory (ID cisco-sa-http-code-exec-WmfP3h3O) revealing a remote code execution flaw in multiple Cisco platforms.

First disclosed on September 25, 2025, this vulnerability (CVE-2025-20363) affects the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, and various IOS-based operating systems.

With a CVSS 3.1 base score of 9.0, the flaw enables unauthenticated or low-privileged attackers to gain full root privileges, potentially leading to complete device compromise.

Nature of the Vulnerability

The flaw stems from improper validation of user-supplied input within HTTP requests.

An attacker who can send crafted HTTP requests to an affected web service may exploit this input validation error to execute arbitrary code as root.

For ASA and FTD devices, no authentication is required; for IOS, IOS XE, and IOS XR devices, only low-privilege credentials are needed.

The vulnerability leverages weaknesses in SSL VPN and HTTP server features to open SSL-enabled listen sockets, providing a direct attack vector.

Affected Products and Configurations

Cisco Secure Firewall ASA and FTD Software

Any ASA or FTD deployment with mobile user security (MUS) or SSL VPN features enabled is vulnerable. Specifically, configurations that employ the webvpn A command with active SSL listen sockets exposes the flaw.

Cisco IOS and IOS XE Software

Devices with the Remote Access SSL VPN feature enabled (show running-config | section webvpn for IOS, show running-config | section crypto ssl policy for IOS XE) are at risk if the SSL policy is not explicitly shut down.

Cisco IOS XR Software

Only 32-bit IOS XR releases running on ASR 9001 routers with the HTTP server enabled (show running-config | include http server) are affected.

Administrators can verify architecture via the run uname -s command, where a QNX response signifies 32-bit.

Cisco has confirmed that Cisco NX-OS Software is not vulnerable.

Impact and Severity

A successful exploit allows arbitrary code execution with root privileges, leading to complete control over affected devices.

The Security Impact Rating is Critical for ASA and FTD Software and High for IOS, IOS XE, and IOS XR Software, with the latter group receiving a CVSS score of 8.5 due to the requirement for low-privilege credentials.

Workarounds and Mitigation

There are no effective workarounds.

Cisco strongly recommends that all customers apply the fixed software releases outlined in the advisory immediately.

Temporary measures, such as disabling SSL VPN features or HTTP server functionality, are insufficient and not officially supported as long-term fixes.

Fixed Software and Remediation

Cisco has released patches for all affected platforms. Customers can use the Cisco Software Checker tool to identify impacted releases and the earliest fixed versions.

Users should:

1. Visit the Cisco Software Checker and select this advisory.
2. Specify the relevant software release and platform.
3. Upgrade to the “First Fixed” release as indicated by the tool.

For IOS XR 32-bit releases on ASR 9001 routers, customers must contact Cisco support to request the appropriate SMU (Software Maintenance Update).

• Audit Configurations: Immediately review firewall and router configurations for SSL VPN or HTTP server enablement.
• Apply Updates: Prioritize upgrading to fixed releases for ASA, FTD, IOS, IOS XE, and IOS XR Software.
• Monitor PSIRT Announcements: Stay alert for any follow-up advisories or exploitation reports.

This vulnerability underscores the critical importance of timely patching on network security appliances.

Organizations relying on Cisco ASA, FTD, and IOS-based devices should treat this advisory as an urgent priority to prevent full device compromise.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates