External risk intelligence

Cisco Firewall VPN Web Server Unauthorized Access Vulnerability.

CVE advisoryKnown Exploit

CVE-2025-20362

A vulnerability in Cisco Secure Firewall VPN web servers allows unauthenticated attackers to access restricted URLs. This could lead to unauthorized access, impacting system availability and data confidentiality for affected organizations. Organizations should address this risk promptly.

5Halo Surface Signal

Denial of Service

Cisco Adaptive Security Appliance Software

9.12 to before 9.12.4.729.14 to before 9.14.4.289.16 to before 9.16.4.859.17.0 to before 9.18.4.679.19 to before 9.20.4.109.22 to before 9.22.2.149.23 to before 9.23.1.197.0.0 to befo...

External exposure likelihood

Halo Surface Signal score for CVE-2025-20362

The vulnerability resides in the VPN web server functionality of Cisco Secure Firewall ASA and FTD software. This component is designed to be internet-facing to facilitate remote access, making it a public-facing edge service by default in standard deployment scenarios.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the VPN web server of Cisco Secure Firewall ASA and FTD software could allow an unauthenticated, remote attacker to access restricted URL endpoints. This flaw stems from improper validation of user-supplied input in HTTP(S) requests. Successful exploitation enables an attacker to access a restricted URL without requiring authentication.

Vulnerable VPN web server
Improper input validation
Unauthorized access to restricted URLs

Attack Path

How an attacker could exploit the issue

This vulnerability could allow an unauthenticated, remote attacker to bypass security controls by accessing restricted URL endpoints related to remote access VPNs. The attacker would exploit this by sending specially crafted HTTP requests to the device's web server. A successful exploitation could lead to an attacker gaining unauthorized access to these sensitive endpoints without needing to authenticate.

Public-facing VPN web server exposure.
Attacker sends crafted HTTP requests.
Access to restricted URL endpoints.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk as it could allow unauthenticated attackers to access restricted areas of the VPN web server. Exploitation could lead to denial-of-service conditions and potential data compromise, impacting system availability and data confidentiality for affected organizations. The attack vector is publicly accessible, meaning systems exposed to the internet are at risk.

Likely attacker skill level: Low
Required access or conditions: Public internet access
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An active attack variant targeting Cisco Secure ASA and FTD software has been observed, potentially leading to denial-of-service conditions on unpatched devices. This vulnerability allows unauthenticated remote attackers to access restricted URL endpoints within the VPN web server. Organizations should prioritize identifying and mitigating exposure to this threat.

Find affected Cisco ASA and FTD assets.
Reduce exposure or isolate affected systems.
Apply vendor fixes, verify, and monitor.

Frequently asked questions

What is the nature of the vulnerability in Cisco Secure Firewall ASA and FTD Software's VPN web server?

A vulnerability exists in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. This flaw allows an unauthenticated, remote attacker to access restricted URL endpoints that are normally inaccessible without authentication. The issue arises from improper validation of user-supplied input in HTTP(S) requests, enabling unauthorized access to sensitive areas.

What is the weakness class associated with CVE-2025-20362?

The weakness class identified for CVE-2025-20362 is CWE-862, which signifies a 'Missing Authorization' vulnerability. This means the software fails to properly check if a user has the necessary permissions to perform a requested action, allowing unauthorized access to restricted resources.

How can an attacker exploit this vulnerability, and what is the scope of the impact?

An attacker can exploit this vulnerability by sending crafted HTTP requests to a targeted web server on an affected Cisco device. The improper validation of input allows the attacker to bypass authentication mechanisms and access restricted URL endpoints. The scope of the impact is limited to the web server component, but successful exploitation could lead to unauthorized access to VPN-related functionalities.

What is the relevance of CVE-2025-20362, especially concerning recent attack variants and the Halo Surface Signal?

This vulnerability is highly relevant due to an active attack variant observed against devices running affected Cisco Secure ASA and FTD Software. This variant can cause unpatched devices to reload unexpectedly, leading to denial-of-service (DoS) conditions. The Halo Surface Signal indicates this vulnerability is 'Very likely' exploitable because the VPN web server is a public-facing edge service, making it an attractive target for attackers.

What practical steps should organizations take to address this vulnerability?

Organizations should prioritize applying the fixed software releases provided by Cisco, as listed in their advisories. It is also recommended to identify affected Cisco ASA and FTD assets, reduce their exposure if possible by isolating affected systems, and diligently monitor for any signs of compromise following mitigation efforts.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.