CVE-2025-20333: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-20333) was discovered in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. The vulnerability was disclosed on September 25, 2025, and affects multiple versions of both software products. This buffer overflow vulnerability (CWE-120) allows an authenticated remote attacker to execute arbitrary code on affected devices (Cisco Advisory).

The vulnerability stems from improper validation of user-supplied input in HTTP(S) requests. It has been assigned a Critical CVSS base score of 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). The vulnerability affects multiple software versions including ASA Software versions 9.16.x through 9.22.x and FTD Software versions 7.0.x through 7.6.x. While the vulnerability requires valid VPN user credentials for exploitation, it can be chained with CVE-2025-20362 to achieve unauthenticated access (Rapid7, NVD).

A successful exploitation of this vulnerability allows an attacker to execute arbitrary code as root, potentially resulting in complete compromise of the affected device. The impact is particularly severe as it affects critical network security infrastructure and could lead to full system takeover (Cisco Advisory).

Cisco has released software updates that address this vulnerability and strongly recommends that customers upgrade to a fixed software release. There are no workarounds available. For ASA Software, fixed versions include 9.16.4.85, 9.17.1.45, 9.18.4.47, 9.19.1.37, 9.20.3.7, and 9.22.1.3. For FTD Software, fixed versions include 7.0.8.1, 7.2.9, 7.4.2.4, and 7.6.1 (Cisco Advisory).

The vulnerability has garnered significant attention from government cybersecurity agencies. The US Cybersecurity & Infrastructure Security Agency (CISA), the Australian Signals Directorate Australian Cyber Security Centre, the Canadian Centre for Cyber Security, and the UK National Cyber Security Centre (NCSC) have all been involved in supporting the investigation (Cisco Advisory).