A critical zero-day vulnerability affecting thousands of Cisco firewalls is being actively exploited by threat actors in the wild.\u00a0<\/p>\n
The vulnerability, tracked as CVE-2025-20333<\/a>, poses an immediate risk to organizations worldwide with a CVSS score of 9.9, representing one of the most severe security flaws discovered in enterprise firewall infrastructure this year.<\/p>\n According to data from The Shadowserver Foundation, over 48,800 unpatched IP addresses were identified on September 29, 2025, with the United States having received the most exposure.\u00a0<\/p>\n The vulnerability affects Cisco Secure Firewall Adaptive Security Appliance (ASA)<\/a> Software and Cisco Secure Firewall Threat Defense (FTD) Software, specifically targeting the VPN web server component that millions of organizations rely on for remote access capabilities.<\/p>\n Cisco firewalls vulnerable<\/p>\n The vulnerability stems from improper validation of user-supplied input in HTTP(S) requests processed by the VPN web server.\u00a0<\/p>\n Classified as a CWE-120 buffer overflow, the flaw allows authenticated remote attackers to execute arbitrary code with root privileges on affected devices.\u00a0<\/p>\n This level of access essentially grants complete control over the firewall, enabling attackers to modify security policies, intercept network traffic, and establish persistent backdoors.<\/p>\n The attack vector requires valid VPN user credentials, which attackers can obtain through various methods including credential stuffing<\/a>, phishing campaigns<\/a>, or exploiting weak authentication mechanisms.\u00a0<\/p>\n Once authenticated, attackers can send specially crafted HTTP requests containing malicious payloads that overflow memory buffers, allowing shellcode execution in the context of the root user.<\/p>\n Cisco\u2019s Product Security Incident Response Team (PSIRT) has confirmed active exploitation attempts and warns that successful attacks could result in complete device compromise.\u00a0<\/p>\n The vulnerability affects devices running vulnerable releases of ASA or FTD software with specific configurations enabled, including AnyConnect IKEv2 Remote Access, Mobile User Security (MUS), and SSL VPN services.<\/p>\n The affected configurations encompass critical enterprise features that organizations depend on for secure remote access. Vulnerable configurations include:<\/p>\n These configurations are standard in enterprise environments, particularly those supporting remote workforce initiatives.\u00a0<\/p>\n The vulnerability\u2019s severity is compounded by the fact that Cisco has confirmed no workarounds exist to mitigate the risk without applying security patches.<\/p>\n Missing Authorization Flaw (CVE-2025-20362)<\/strong><\/p>\n A secondary vulnerability, CVE-2025-20362 (CVSS 6.5), accompanies the primary flaw and enables unauthenticated attackers to access restricted VPN endpoints that should require authentication.\u00a0<\/p>\n This unauthorized access vulnerability, classified as CWE-862 (Missing Authorization), can serve as a reconnaissance tool for attackers planning more sophisticated attacks.<\/p>\n Cisco has released emergency security updates addressing both vulnerabilities and strongly recommends immediate patching.\u00a0<\/p>\n Organizations should prioritize these updates given the active exploitation and the critical nature of affected systems.\u00a0<\/p>\n The company also advises reviewing threat detection configurations for VPN services to enhance protection against authentication attacks and unauthorized connection attempts.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post 48+ Cisco Firewalls Vulnerable to Actively Exploited 0-Day Vulnerability in the Wild<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Cisco](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2025\/10\/image-2-1024x464.png?resize=1024%2C464&ssl=1\")
<\/figure>\n<\/div>\nBuffer Overflow Vulnerability (CVE-2025-20333)<\/strong><\/h2>\n
\n
\n\n
\n CVE<\/strong><\/td>\n Title<\/strong><\/td>\n CVSS 3.1 Score<\/strong><\/td>\n Severity<\/strong><\/td>\n<\/tr>\n \n CVE-2025-20333<\/td>\n VPN Web Server Remote Code Execution Vulnerability<\/td>\n 9.9<\/td>\n Critical<\/td>\n<\/tr>\n \n CVE-2025-20362<\/td>\n VPN Web Server Unauthorized Access Vulnerability<\/td>\n 6.5<\/td>\n Medium<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n