CVE-2025-20333

Published: Sep 25, 2025Modified: Oct 28, 2025CISA KEV

9.9

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 3.1 / Impact: 6.0

Source: psirt@cisco.com (Secondary)

Description

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device.

Affected (12)

Products: Cisco: Adaptive Security Appliance Software, Firepower Threat Defense

Cisco

2 products

Adaptive Security Appliance Software

Firepower Threat Defense

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Cisco Adaptive Security Appliance Software	From 9.12 to 9.12.4.72
Cisco Adaptive Security Appliance Software	From 9.14 to 9.14.4.28
Cisco Adaptive Security Appliance Software	From 9.16 to 9.16.4.85
Cisco Adaptive Security Appliance Software	From 9.17.0 to 9.17.1.45
Cisco Adaptive Security Appliance Software	From 9.18 to 9.18.4.47
Cisco Adaptive Security Appliance Software	From 9.19 to 9.19.1.37
Cisco Adaptive Security Appliance Software	From 9.20 to 9.20.3.7
Cisco Adaptive Security Appliance Software	From 9.22 to 9.22.1.3

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Cisco Firepower Threat Defense	From 7.0.0 to 7.0.8.1
Cisco Firepower Threat Defense	From 7.1.0 to 7.2.9
Cisco Firepower Threat Defense	From 7.3.0 to 7.4.2.4
Cisco Firepower Threat Defense	Version 7.6.0

Related CWEs

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

References (3)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

Source: psirt@cisco.com

Vendor Advisory

https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20333

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.