Cisco warns of actively exploited vulnerabilities in ASA and FTD Firewall software

Cisco has released security patches for actively exploited vulnerabilities in its Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software.

Vulnerabilities summary

• CVE-2025-20333 (CVSS score 9.9) - A remote code execution vulnerability in the VPN web server that allows authenticated, remote attackers to execute arbitrary code as root on affected devices. This flaw stems from improper validation of user-supplied input in HTTP(S) requests and can be exploited by attackers with valid VPN user credentials who send crafted HTTP requests to targeted devices.
• CVE-2025-20363 (CVSS score 9.0) - improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both.
• CVE-2025-20362 (CVSS score 6.5) - An unauthorized access vulnerability that enables unauthenticated, remote attackers to access restricted URL endpoints. This vulnerability also results from improper validation of user-supplied input in HTTP(S) requests and allows attackers to bypass authentication mechanisms.

The security flaws affect devices running vulnerable releases of Cisco Secure Firewall ASA Software or Cisco Secure FTD Software that have specific VPN-related configurations enabled, including AnyConnect IKEv2 Remote Access, Mobile User Security (MUS), SSL VPN, and AnyConnect SSL VPN features. 

The vulnerabilities can be chained together, with CVE-2025-20362 potentially used to bypass authentication requirements for CVE-2025-20333. 

Update - as of 5th of November 2025, Cisco updated the advisory of active exploitation of CVE-2025-20333. Threat actors have discovered a new attack variant compromising unpatched devices and bypassing all security controls.

Also, Cisco has updated the advisory for the ASA Software 9.12 or 9.14. The patch for CVE-2025-20333 in 9.12 and 9.14 is ASA Hidden releases 9.12.4.72 or 9.14.4.28. For all other platforms, use the Cisco Software Checker to determine the first fixed release.

Cisco's Product Security Incident Response Team (PSIRT) has confirmed active exploitation attempts for both vulnerabilities and continues to strongly recommend immediate upgrades to fixed software releases. The exploitation has been attributed to UAT4356, also known as Storm-1849, the same threat actor behind the ArcaneDoor campaign from April 2024.

The exploitation of these vulnerabilities prompted CISA to issue Emergency Directive ED 25-03, requiring federal agencies to identify all instances of Cisco ASA and Cisco Firepower devices in operation and collect and transmit memory files to CISA for forensic analysis by 11:59 p.m. EST September 26.

Cybersecurity firm GreyNoise, observed large-scale campaigns in late August involving up to 25,000 unique IP addresses targeting ASA login portals and Cisco IOS Telnet/SSH services. Such reconnaissance activity historically precedes the disclosure of new security vulnerabilities in approximately 80% of cases, suggesting threat actors may have been preparing for exploitation of these flaws.

No workarounds are available for either vulnerability, making immediate patching the only effective mitigation strategy. Cisco has provided a Software Checker tool to help customers determine their exposure to these vulnerabilities and identify the appropriate fixed releases for their specific deployments. The company recommends that after installing fixed releases, customers review the Configure Threat Detection for VPN Services section of the Cisco Secure Firewall ASA Firewall CLI Configuration Guide to enable additional protections against remote access VPN attacks.