Cisco

Cisco Patches Critical ASA/FTD VPN Zero-Day (CVE-2025-20333)

Actively exploited Cisco ASA/FTD zero-day enables unauthenticated RCE via VPN portal. Get affected versions, IOCs, and the fixed releases.

J

J

3 min read
Cisco Patches Critical ASA/FTD VPN Zero-Day (CVE-2025-20333)
Cisco ASA firewall appliances affected by CVE-2025-20333

TL;DR – Executive Summary

💡
A critical vulnerability in Cisco’s firewall appliances (CVE-2025-20333) allows attackers to gain full control of a device via the VPN web portal. This zero-day is already being exploited in the wild and has been chained with an authentication bypass (CVE-2025-20362) to achieve remote code execution on Cisco ASA/FTD devices.

Action required: Patch all affected Cisco ASA and FTD systems immediately and verify no compromise has occurred.

Overview of the Vulnerability

  • CVE-2025-20333 is a Remote Code Execution (RCE) flaw in Cisco ASA and FTD VPN web services.
  • Root cause: Buffer overflow (CWE-120) from improper input validation.
  • Exploitation: Specially crafted HTTPS requests to the WebVPN interface enable attackers to execute code with root-level privileges.
  • Actively exploited: Cisco PSIRT confirmed real-world attacks; discovered during a TAC support case with national cyber agencies.
  • Severity: CVSS 9.9 (Critical) – total firewall compromise possible.

Cisco also disclosed CVE-2025-20362 (CVSS 6.5), a vulnerability that allows for authentication bypass. On its own, it’s moderate—but chained with CVE-2025-20333, it enables unauthenticated device takeover. Threat actors (“UAT4356 / Storm-1849,” linked to the ArcaneDoor campaign) are actively exploiting both.

Affected Systems

Vulnerable Cisco products:

  • ASA Software (with WebVPN/AnyConnect enabled)
    Versions 9.16, 9.17, 9.18, 9.19, 9.20, 9.22, and early 9.23 builds.
    Covers ASA 5500-X, ASAv, and similar.
  • FTD Software
    Versions 7.0, 7.2, 7.4, 7.6, 7.7 (pre-fix).
    Covers Firepower appliances and Secure Firewall 3100/4100 series.
  • Cisco IOS / IOS XE / IOS XR
    Not directly impacted by this chain, but patched separately for CVE-2025-20363.

Exposure note: Devices are exploitable only if AnyConnect SSL VPN or IKEv2 client services are enabled.

Exploitation Details

  • Attack vector: HTTPS requests to the VPN web portal.
  • No credentials or user interaction required (when chaining CVE-2025-20362 + CVE-2025-20333).
  • Observed attacker actions:
    • Disabled security logs to hide activity.
    • Deployed firmware implants (e.g., RayInitiator bootkit).
    • Installed payloads like LINE VIPER to spy on VPN sessions.

Impact: Full device takeover – including the ability to decrypt VPN traffic, steal credentials, alter firewall rules, or pivot into internal networks.

How to Detect

Security teams should prioritize detection using these methods:

  • Vulnerability Scanning
  • Manual Checks
    • show running-config | include webvpn (ASA)
    • show running-config crypto ikev2 | include client-services (ASA)
    • VPN policies in FMC (FTD)
    • show version to confirm software release
  • Indicators of Compromise
    • Missing syslogs (302013, 302014, 609002, 710005)
    • Unexpected crashes or reboots
    • “Impossible travel” VPN logins
    • Stalled show checkheaps runs
  • Network Monitoring
    • Snort rules: 65340 (CVE-2025-20333), 46897 (CVE-2025-20362)
    • IDS/IPS alerts for unusual VPN traffic

Remediation Guidance

Patch immediately – no workarounds exist.

  • ASA Fixed Versions:
    9.16.4.85, 9.17.1.45, 9.18.4.47, 9.19.1.37, 9.20.3.7, 9.22.1.3, 9.22.2.14, 9.23.1.19
  • FTD Fixed Versions:
    7.0.8.1, 7.2.10.2, 7.4.2.4, 7.6.2.1, 7.7.10.1

Temporary mitigations (if patching is delayed):

# Disable WebVPN (ASA)
configure terminal
no webvpn

# Disable IKEv2 client-services (ASA)
crypto ikev2 disable client-services

(Disabling VPN services will cut off AnyConnect access—use only as an emergency stopgap.)

Recommendations for Security Teams

  1. Emergency patch deployment – invoke the emergency change process.
  2. Verify & audit – confirm patched versions, check configs and accounts.
  3. Increase monitoring – enable verbose logging, watch Snort SIDs.
  4. Incident response if compromised – isolate, preserve forensics, re-image if needed.
  5. Network hardening – restrict VPN access with ACLs, segmentation.
  6. Update signatures & IOCs – deploy Cisco Talos and CISA indicators.
  7. User comms & MFA – reset VPN credentials, enforce MFA.
  8. Long-term hardening – enable Secure Boot on newer models, retire end-of-life hardware.
  9. Tabletop exercises – rehearse response scenarios for firewall compromise.

Timeline

  • May 2025 – Attacks discovered; Cisco & agencies investigate.
  • Jul–Sep 2025 – Exploits used in zero-day campaigns.
  • Sep 25, 2025 – Cisco releases patches; CISA issues Emergency Directive 25-03.
  • Early Oct 2025 – Rapid7 confirms root cause; active exploitation continues globally.

External Sources

Conclusion

CVE-2025-20333 and CVE-2025-20362 are being actively exploited to compromise Cisco ASA/FTD firewalls. Together, they allow unauthenticated attackers to seize complete control of critical perimeter defenses.

The only safe path:

  • Patch immediately.
  • Audit and hunt for compromise.
  • Harden and monitor for ongoing threats.

Your firewall should be protecting you, not working against you. Update now.

Read more

© 2025 Threat On The Wire. All rights reserved.