CVE-2025-20363: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-20363) was discovered in the web services of multiple Cisco products including Secure Firewall Adaptive Security Appliance (ASA) Software, Secure Firewall Threat Defense (FTD) Software, IOS Software, IOS XE Software, and IOS XR Software. The vulnerability was disclosed on September 25, 2025, and received a CVSS base score of 9.0. This security flaw affects various Cisco products when specific configurations are enabled, such as Remote Access SSL VPN or HTTP server features (Cisco Advisory).

The vulnerability (CVE-2025-20363) is classified as a heap-based buffer overflow (CWE-122) that stems from improper validation of user-supplied input in HTTP requests. The vulnerability has a Critical Security Impact Rating with a CVSS Base Score of 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). For Cisco ASA and FTD Software, the vulnerability can be exploited by an unauthenticated, remote attacker, while for Cisco IOS, IOS XE, and IOS XR Software, exploitation requires an authenticated remote attacker with low user privileges (Cisco Advisory, NVD).

A successful exploitation of this vulnerability could allow an attacker to execute arbitrary code as root on the affected device, potentially leading to complete compromise of the system. The impact varies depending on the affected product, with the most severe scenario allowing unauthenticated remote code execution with root privileges (Cisco Advisory).

Cisco has released software updates that address this vulnerability and strongly recommends that customers upgrade to a fixed software release. There are no workarounds available that address this vulnerability. For Cisco ASA Software, fixed versions include 9.16.4.84, 9.18.4.57, 9.19.1.42, 9.20.3.16, 9.22.2, and 9.23.1.3. For Cisco FTD Software, fixed versions include 7.0.8, 7.2.10, 7.4.2.3, 7.6.1, and 7.7.10 (Cisco Advisory).