CVE-2025-20363: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-20363) was discovered in the web services of multiple Cisco products including Secure Firewall Adaptive Security Appliance (ASA) Software, Secure Firewall Threat Defense (FTD) Software, IOS Software, IOS XE Software, and IOS XR Software. The vulnerability was disclosed on September 25, 2025, and received a CVSS base score of 9.0. This heap-based buffer overflow vulnerability (CWE-122) affects various Cisco devices when specific configurations are enabled (Cisco Advisory).

The vulnerability stems from improper validation of user-supplied input in HTTP requests. For Cisco ASA and FTD Software, the vulnerability can be exploited by an unauthenticated remote attacker, while for Cisco IOS, IOS XE, and IOS XR Software, exploitation requires an authenticated remote attacker with low user privileges. The vulnerability received a Critical Security Impact Rating with a CVSS Base Score of 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) (Cisco Advisory, NVD).

A successful exploitation of this vulnerability could allow an attacker to execute arbitrary code as root, potentially leading to complete compromise of the affected device. The impact varies depending on the affected product, with the most severe scenario allowing unauthenticated remote code execution on ASA and FTD devices (Cisco Advisory).

Cisco has released software updates that address this vulnerability and strongly recommends that customers upgrade to a fixed software release. For Cisco ASA Software, fixed versions include 9.16.4.84, 9.18.4.57, 9.19.1.42, 9.20.3.16, 9.22.2, and 9.23.1.3. For Cisco FTD Software, fixed versions include 7.0.8, 7.2.10, 7.4.2.3, 7.6.1, and 7.7.10. There are no workarounds that address this vulnerability (Cisco Advisory).