Cisco has disclosed a critical remote code execution vulnerability affecting its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software platforms.
Tracked as CVE-2025-20333, this flaw received a maximum CVSS 3.1 score of 9.9, marking it as one of the most severe security issues impacting enterprise firewall infrastructure.
The vulnerability resides in the VPN web server component and could allow authenticated attackers to execute arbitrary code with root privileges on vulnerable devices.
Technical Details and Exploitation Method
The vulnerability stems from improper validation of user-supplied input in HTTP(S) requests processed by the VPN web server.
An attacker possessing valid VPN credentials can craft specially designed HTTP requests targeting the affected device, exploiting the underlying input validation flaw.
Upon successful exploitation, the attacker gains the ability to execute arbitrary code with root-level privileges, effectively achieving complete compromise of the firewall appliance.
This represents a critical security breach, given that firewalls serve as the primary defense perimeter for enterprise networks.
Cisco confirmed that exploitation attempts are actively occurring in the wild, elevating the urgency for organizations to apply patches immediately.
Cisco disclosed a new attack variant on November 5, 2025, which can force vulnerable unpatched devices to experience unexpected reloads, triggering denial-of-service conditions.
This development compounds the risk profile, as attackers can now leverage the vulnerability to cause both code execution and service disruption simultaneously.
The vulnerability affects Cisco devices running vulnerable ASA or FTD software releases with specific configurations enabled.
Vulnerable configurations include AnyConnect IKEv2 Remote Access with client services, Mobile User Security (MUS), SSL VPN, and AnyConnect SSL VPN features.
Organizations must identify whether their deployed firewalls use these features by examining running configurations for webvpn or crypto ikev2 enable commands.
Notably, no workarounds are available, making patching the only remediation option.
Cisco strongly recommends that all affected customers upgrade to fixed software releases immediately.
The company provides the Cisco Software Checker tool to help organizations identify their exposure and determine the appropriate fixed release version.
Additionally, once patching is complete, administrators should review threat detection configurations for VPN services to enable protections against remote access VPN login authentication attacks and client initiation attempts.
| CVE ID | Product | Affected Versions | CVSS 3.1 Score | Vector | Impact | CWE |
|---|---|---|---|---|---|---|
| CVE-2025-20333 | Cisco Secure Firewall ASA & FTD | Multiple ASA & FTD releases | 9.9 (Critical) | Network/Low/Privileged/No User Interaction | Remote Code Execution as Root | CWE-120 (Buffer Overflow) |
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1068,580&ssl=1&description=Tracked as CVE-2025-20333, this flaw received a maximum CVSS 3.1 score of 9.9, marking it as one of the most severe security issues impacting enterprise firewall infrastructure.){kind=link}