Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability

🚨 SEVERITY: CRITICAL — CVSS 9.9 Security Advisory

TL;DR 📌

A critical remote code execution vulnerability has been identified in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software. This flaw allows authenticated attackers to execute arbitrary code on affected devices. Immediate software updates are recommended, as there are no workarounds available.

What happened 🕵️‍♂️

A vulnerability (CVE-2025-20333) has been discovered in the VPN web server of Cisco Secure Firewall ASA and FTD Software. This issue arises from improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN credentials could exploit this vulnerability by sending crafted HTTP requests, potentially leading to arbitrary code execution as root. This could result in a complete compromise of the affected device.

Affected products 🖥️

The vulnerability affects the following Cisco products running vulnerable releases:

  • Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
  • Cisco Secure Firewall Threat Defense (FTD) Software

Specific configurations that may be vulnerable include:

  • AnyConnect IKEv2 Remote Access
  • Mobile User Security (MUS)
  • SSL VPN

Fixed software 🔧

Upgrade to the first fixed release in your train (or later):

Release / Product First Fixed Release Notes
1.0 Initial public release.
Cisco Secure Firewall ASA Not specified
Cisco Secure FMC Not specified
Cisco Secure FTD Not specified

Workarounds 🧯

There are no workarounds available to mitigate this vulnerability. Immediate software updates are the only recommended course of action.

Risk in context 🎯

With a CVSS score of 9.9, this vulnerability is classified as Critical. The exposure is significant as it requires only valid VPN credentials for exploitation, which could lead to complete device compromise. Organizations should prioritize patching affected systems to mitigate risk.

Fast facts ⚡

  • Vulnerability ID: CVE-2025-20333
  • Severity: Critical (CVSS 9.9)
  • Attack Vector: Authenticated remote access
  • Exploitation Potential: Arbitrary code execution
  • Workarounds: None available
  • Recommended Action: Upgrade to fixed software

For leadership 🧭

The recent vulnerability in Cisco Secure Firewall ASA and FTD Software poses a Critical risk due to its CVSS score of 9.9. It allows authenticated attackers to execute arbitrary code, potentially leading to full device compromise. The exposure is significant as it requires valid VPN credentials and could impact device availability and integrity.

Remediation ask: Patch affected systems within 7 days to mitigate risks, as no workarounds exist.

Operational impact: Expect a brief maintenance window with no configuration drift anticipated.

Now / Next / Later:

  • Now: Assess and identify affected devices.
  • Next: Schedule and implement software upgrades.
  • Later: Review security policies and user access controls to strengthen defenses against future vulnerabilities.