Cisco ASA 0-Day RCE Vulnerability Actively Exploited in the Wild
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Cisco has issued an emergency security advisory warning of active exploitation<\/a> of a critical zero-day vulnerability<\/a> in its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software platforms.\u00a0<\/p>\n The vulnerability, tracked as CVE-2025-20333, carries a maximum CVSS score of 9.9 and enables authenticated remote attackers to execute arbitrary code with root privileges on affected devices.<\/p>\n The vulnerability resides in the VPN web server component of both ASA and FTD software, specifically affecting devices with remote access VPN configurations enabled.<\/p>\n \u00a0Cisco\u2019s Product Security Incident Response Team (PSIRT) confirmed active exploitation attempts and emphasized the critical nature of this security flaw, which could result in complete device compromise.<\/p>\n The root cause of CVE-2025-20333 lies in improper validation of user-supplied input within HTTP(S) requests processed by the VPN web server.\u00a0<\/p>\n This buffer overflow vulnerability<\/a> (CWE-120) allows authenticated attackers with valid VPN credentials to craft malicious HTTP requests that trigger code execution with elevated privileges.<\/p>\n Vulnerable configurations include devices running ASA or FTD software with specific VPN features enabled, including AnyConnect IKEv2 Remote Access with client services (crypto ikev2 enable <interface_name> client-services port <port_number>), SSL VPN services (webvpn enable <interface_name>), and Mobile User Security (MUS) implementations.\u00a0<\/p>\n The vulnerability specifically targets SSL listen sockets enabled by these configurations.<\/p>\n The exploitation process requires attackers to first obtain valid VPN user credentials, after which they can send specially crafted HTTP requests to the targeted device\u2019s VPN web server.\u00a0<\/p>\n Successful exploitation grants root-level access, potentially allowing threat actors to install persistent backdoors, exfiltrate sensitive network traffic, or pivot to internal network segments.<\/p>\n The discovery and investigation of this vulnerability involved unprecedented collaboration between multiple international cybersecurity agencies, including the Australian Signals Directorate, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the UK National Cyber Security Centre (NCSC), and the U.S. Cybersecurity & Infrastructure Security Agency (CISA).<\/p>\n This coordinated response suggests sophisticated threat actor involvement, likely nation-state or advanced persistent threat (APT) groups targeting critical infrastructure.<\/p>\n CVE-2025-20362 is an unauthenticated unauthorized access vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software.\u00a0<\/p>\n Rated Medium severity with a CVSS 3.1 base score of 6.5, this flaw allows remote attackers to bypass authentication and access restricted URL endpoints.<\/p>\n The vulnerability stems from improper validation of user-supplied input in HTTP(S) requests handled by the VPN web server. Specifically, certain URL endpoints that should require authentication fail to enforce access checks.\u00a0<\/p>\n An attacker crafts a malicious HTTP request targeting these endpoints and can retrieve or interact with sensitive resources without any valid VPN credentials.<\/p>\nCisco ASA 0-Day RCE Vulnerability<\/strong><\/h2>\n
Unauthorized Access Vulnerability (CVE-2025-20362)<\/strong><\/h2>\n