PEACH
Un framework di isolamento del tenant
Database delle vulnerabilitàCVE-2025-20362
CVE-2025-20362:
Cisco Adaptive Security Appliance (ASA) Analisi e mitigazione delle vulnerabilità
Panoramica
A vulnerability (CVE-2025-20362) was discovered in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to access restricted URL endpoints related to remote access VPN that should be inaccessible without authentication. The vulnerability was disclosed on September 25, 2025, and is tracked with a CVSS base score of 6.5 (Cisco Advisory).
Dettagli tecnici
The vulnerability stems from improper validation of user-supplied input in HTTP(S) requests. The issue is classified as a Missing Authorization vulnerability (CWE-862). The vulnerability affects multiple versions of Cisco ASA Software (versions 9.8.x through 9.23.x) and Cisco FTD Software (versions 6.2.x through 7.7.x). The CVSS score of 6.5 (Medium) reflects the attack vector being network-accessible (AV:N), low attack complexity (AC:L), requiring no privileges (PR:N), and no user interaction (UI:N) (NVD).
Impatto
A successful exploitation of this vulnerability allows an attacker to access restricted URLs without authentication. The vulnerability is particularly concerning as it can be chained with other vulnerabilities, specifically CVE-2025-20333, to achieve remote code execution with root privileges on affected devices (Rapid7).
Mitigazione e soluzioni alternative
Cisco has released software updates to address this vulnerability and strongly recommends that customers upgrade to a fixed software release. There are no workarounds available for this vulnerability. For ASA Software, fixed versions include 9.16.4.85, 9.18.4.67, 9.20.4.10, 9.22.2.14, and 9.23.1.19. For FTD Software, fixed versions include 7.0.8.1, 7.2.10.2, 7.4.2.4, 7.6.2.1, and 7.7.10.1 (Cisco Event Response).
Reazioni della comunità
Multiple government agencies, including the Australian Signals Directorate, the Canadian Centre for Cyber Security, the UK National Cyber Security Centre (NCSC), and the U.S. Cybersecurity & Infrastructure Security Agency (CISA), have been involved in investigating and responding to attacks exploiting this vulnerability. CISA has added this vulnerability to their Known Exploited Vulnerabilities catalog, requiring federal agencies to take immediate action (Cisco Advisory).
Risorse aggiuntive
Fonte: Questo report è stato generato utilizzando l'intelligenza artificiale
Imparentato Cisco Adaptive Security Appliance (ASA) Vulnerabilità:
Valutazione gratuita delle vulnerabilità
Benchmark della tua posizione di sicurezza del cloud
Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.
Richiedi una demo personalizzata
Pronti a vedere Wiz in azione?
"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
David EstlickCISO (CISO)
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
Adam FletcherResponsabile della sicurezza
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."
Greg PoniatowskiResponsabile della gestione delle minacce e delle vulnerabilità