Cisco ASA and FTD - Zero Day

Published on 26-Sep-2025
Updated:
12-Dec-2025
Status:
 
Active
CVEs:
CVE-2025-20333
CVE-2025-20363

Fortra is actively researching two critical Cisco vulnerabilities, CVE-2025-20333 and CVE-2025-20363 that could allow attackers to execute arbitrary code on affected devices.

CVE-2025-20333 enables authenticated users to gain root access through crafted HTTP requests and is actively being exploited in the wild. CVE-2025-20363 affects ASA, FTD, IOS, IOS XE, and IOS XR software and could allow both unauthenticated and low-privileged authenticated users to execute arbitrary code.

On the same announcement, Cisco alerted about CVE-2025-203632, base score 6.5 – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, which can let unauthenticated attackers bypass access controls. If exploited alongside CVE-2025-20333, it could enable full remote control of affected systems, significantly increasing risk.

No workarounds are available, and Cisco highly recommends updating the latest software versions. If patching is not immediately possible, organizations should disable or limit HTTPS web services and restrict management interfaces to trusted subnets.

Who is affected?

The following platforms are impacted by this vulnerability:

  • CVE-2025-20333
    • Cisco ASA: Versions 9.12, 9.14, 9.16, 9.17, 9.18, 9.19, 9.20, 9.22 with AnyConnect IKEv2 Remote Access (with client services), Mobile User Security (MUS), or SSL VPN enabled.
    • Cisco FTD: Versions 7.0, 7.2, 7.4, 7.6 with AnyConnect IKEv2 Remote Access (with client services) or AnyConnect SSL VPN enabled.
  • CVE-2025-20363
    • Cisco ASA: Versions 9.16, 9.18, 9.19, 9.20, 9.22, 9.23 with Mobile User Security (MUS) or SSL VPN enabled.
    • Cisco FTD: Versions 7.0, 7.2, 7.4, 7.6, 7.7 with AnyConnect SSL VPN enabled.
    • Cisco IOS/ IOS XE: Versions 17.x, 16.x with Remote Access SSL VPN enabled.

What can I do?

Cisco strongly recommends updating affected devices to the fixed software versions listed in their advisories. No workarounds are available for either CVE.

CVE-2025-20333

CVE-2025-20363

  • Cisco ASA: 9.16.4.85, 9.18.4.67, 9.20.4.10, 9.22.2.14, 9.23.1.19
  • Cisco FTD: 7.0.8, 7.2.10, 7.4.2.3, 7.6.1, 7.7.10
  • Cisco IOS and IOS XE: 16.12.14, 17.9.8
  • Cisco Security Advisory
  • NVD Reference

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities

  • Fusion VM: Authenticated scan checks added for CVE-2025-20333 and CVE-2025-20362, and integrated authenticated scan mappings into the CPE engine.
  • Tripwire IP360: Tripwire released scan coverage on October 1, 2025, to identify vulnerable instances. If the vulnerabilities are detected, they will be flagged under vulnerability ID 764019 for CVE-2025-20333 or vulnerability ID 764017 for CVE-2025-20362.

  • Core Impact: Cisco Secure ASA improperly validates user-supplied input in HTTP(S) requests, allowing an unauthenticated remote attacker to access restricted URL endpoints related to remote access VPN. When combined with a buffer overflow in the files_action.lua script, attackers may be able to execute arbitrary code as the root user or force unpatched devices to reload unexpectedly, resulting in a denial‑of‑service (DoS) condition. 

    The Core Impact module checks whether a target device is vulnerable to this authentication bypass. If it is, the module can then trigger the denial‑of‑service condition.

  • IDS: Released IDS signature to detect CVE-2025-20333 Cisco ASA/FTD Buffer Overflow attempts, likely chained together with auth bypass technique CVE-2026-20362, on October 7th, 2025

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.

  • 09/29/2025: Added authenticated scan checks for CVE-2025-20333 and CVE-2025-20362, and integrated authenticated scan mappings into the CPE engine for Fusion VM.
  • 10/01/2025: Tripwire released scan coverage for IP360 for CVE-2025-20333 and CVE-2025-20362.
  • 10/07/2025: Released IDS signature to detect CVE-2025-20333 Cisco ASA/FTD Buffer Overflow attempts, likely chained together with auth bypass technique CVE-2026-20362.
  • 11/18/2025: Core Impact module updated to check for authentication bypass and potential denial-of-service on vulnerable Cisco Secure ASA devices.
Recent Emerging Threats
:
React Server Component Remote Code Execution Vulnerability
:
FortiWeb UI Path Traversal Vulnerability
:
Oracle Concurrent Processing
:
Sitecore ViewState Deserialization Vulnerability
:
Commvault Remote Code Execution
Security Alerts in Your Inbox. We will watch for emerging threats; you can watch for our email.