External risk intelligence

Cisco Secure Firewall VPN Vulnerability Allows Code Execution.

CVE advisoryKnown Exploit

CVE-2025-20333

A vulnerability in Cisco Secure Firewall VPN web servers could allow an authenticated attacker to execute arbitrary code. This could lead to complete compromise of affected devices. The U.S. CISA has identified this as a known exploited vulnerability.

5Halo Surface Signal

Buffer Overflow

Cisco Adaptive Security Appliance Software

9.12 to before 9.12.4.729.14 to before 9.14.4.289.16 to before 9.16.4.859.17.0 to before 9.17.1.459.18 to before 9.18.4.479.19 to before 9.19.1.379.20 to before 9.20.3.79.22 to before...

External exposure likelihood

Halo Surface Signal score for CVE-2025-20333

The vulnerability affects the VPN web server component of Cisco Secure Firewall ASA and FTD software. VPN gateways and web-based remote access portals are intentionally designed to be exposed to the public internet to facilitate remote connectivity for users and are standard entry points for network infrastructure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The VPN web server component within Cisco Secure Firewall ASA and FTD Software is susceptible to a vulnerability. This flaw allows an authenticated, remote attacker to execute arbitrary code on an affected device. The primary impact can lead to the complete compromise of the affected device.

  • Vulnerable VPN web server component
  • Improper input validation in HTTP(S) requests
  • Complete device compromise

Attack Path

How an attacker could exploit the issue

A remote attacker with valid credentials can exploit a vulnerability in the Cisco Secure Firewall VPN web server. This vulnerability arises from improper handling of user-supplied input in HTTP(S) requests. By sending specially crafted requests, an attacker could execute arbitrary code with root privileges, leading to a complete compromise of the affected device.

  • Required exposure: External VPN web server access.
  • Attacker starting point: Authenticated VPN user.
  • Trigger and result: Crafted HTTP request leads to arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability exists in Cisco Secure Firewall ASA and FTD software that could allow an authenticated, remote attacker to execute arbitrary code. This is due to improper handling of user-supplied input in HTTP(S) requests. Successful exploitation could lead to the execution of code as root, potentially resulting in complete compromise of the affected device. The U.S. CISA has identified this vulnerability as a significant threat, adding it to its Known Exploited Vulnerabilities catalog.

  • Attacker skill level: Moderate.
  • Required access: Valid VPN credentials.
  • Business risk or urgency: Critical, requires immediate attention.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A critical vulnerability exists in Cisco Secure Firewall ASA and FTD software that could allow an authenticated attacker to execute arbitrary code on the device. This is due to improper input validation in HTTP(S) requests. Successful exploitation could lead to complete device compromise.

  • Find affected Cisco ASA and FTD assets.
  • Isolate exposed VPN web server components.
  • Apply vendor updates and verify remediation.
  • Monitor for related malicious activity.

Frequently asked questions

What is Cisco Secure Firewall ASA and FTD software?

Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) are network security products designed to protect networks using firewalls, VPNs, and other security features. They help organizations manage and secure their network traffic.

What weakness does CVE-2025-20333 expose in Cisco Secure Firewall?

CVE-2025-20333 is a critical vulnerability caused by improper validation of user-supplied input in HTTP(S) requests to the VPN web server. This weakness, identified as CWE-120 (Buffer Overflow), allows an authenticated attacker to execute arbitrary code.

How can an attacker exploit the Cisco Secure Firewall vulnerability?

An authenticated remote attacker with valid VPN credentials can exploit this vulnerability by sending crafted HTTP requests to the VPN web server. Successful exploitation allows the attacker to execute arbitrary code as root, potentially leading to complete compromise of the device.

What is the impact of CVE-2025-20333 on Cisco Secure Firewall?

This vulnerability presents a very likely threat as it affects the VPN web server, a common entry point. Exploitation can result in arbitrary code execution with root privileges, leading to a complete compromise of the affected Cisco Secure Firewall device. The U.S. CISA has added it to their Known Exploited Vulnerabilities catalog, highlighting its significance.

What steps should be taken to address the Cisco Secure Firewall vulnerability?

Organizations should identify affected Cisco ASA and FTD assets, isolate exposed VPN web server components, and apply vendor updates promptly. Continuous monitoring for related malicious activity is also recommended to verify remediation and ensure security.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified