Cisco warns its users to patch two actively exploited vulnerabilities impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance Software and Cisco Secure Firewall Threat Defense Software. Tracked as CVE-2025-20362 and CVE-2025-20333, the vulnerabilities can lead to remote code execution and unauthorized access of the affected device. Cisco mentioned in the advisory that they are aware of attempted exploitation of the vulnerabilities.
CISA added both vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging users to patch the vulnerabilities before September 26, 2025. CISA also released an emergency directive (ED 25-03) urging federal agencies to identify, analyze, and mitigate potential compromises with immediate effect.
CVE-2025-20362
The vulnerability in the Cisco ASA and Cisco FTD Software’s VPN web server originates from an improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device.
Successful exploitation of the vulnerability could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication.
CVE-2025-20333
The vulnerability in the Cisco ASA and Cisco FTD Software’s VPN web server Software originates from improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device.
Successful exploitation of the vulnerability could allow an authenticated, remote attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device.
Affected Configurations
Cisco Secure Firewall ASA Software Vulnerable Configurations
Cisco Secure Firewall ASA Software Feature |
Possible Vulnerable Configuration |
| AnyConnect IKEv2 Remote Access (with client services) | crypto ikev2 enable <interface name> client-services port <port_numbers> |
| Mobile User Security (MUS) | webvpn mus password mus server enable <port_number> mus <IPv4_address> <IPv4_mask> <interface_name> |
| SSL VPN | webvpn enable <interface_name> |
Cisco Secure Firewall FTD Software Vulnerable Configurations
Cisco Secure FTD Software Feature |
Possible Vulnerable Configuration |
| AnyConnect IKEv2 Remote Access (with client services) | crypto ikev2 enable <interface_name> client-services port <port_number> |
| AnyConnect SSL VPN | webvpn enable <interface_name> |
Mitigation
Cisco suggests workarounds and mitigations as temporary solutions until a fixed software release upgrade is available.
For more information, please refer to the Cisco Security Advisories cisco-sa-asaftd-webvpn-z5xP8EUB and cisco-sa-asaftd-webvpn-YROOTUW.
Qualys Detection
Qualys customers can scan their devices with QIDs 317736, 317737, 317740, and 317741 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
http://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW