SOC Advisory – Cisco ASA/FTD Remote Code Execution and Access Control Bypass – 26 September 2025

Overview

CVE: CVE-2025-20333, CVE-2025-20363, CVE-2025-20362
Severity: Critical
Date: 26 September 2025

Cisco has disclosed multiple vulnerabilities in ASA 5500-X Series, Secure Firewall Threat Defense (FTD), and related software platforms. Two of these flaws allow remote code execution, while a third permits unauthenticated access to restricted web services.

These vulnerabilities affect both ASA and FTD software when configured with WebVPN or HTTP-based services. Exploitation could lead to system compromise or bypass of access controls.

Affected Versions

• Cisco ASA 5500-X Series Appliances
• Cisco Secure Firewall ASA and FTD Software
• Cisco IOS, IOS XE, IOS XR (limited to CVE-2025-20363)
• Cisco Firepower appliances running vulnerable versions

Vulnerability Breakdown

CVE-2025-20333 – WebVPN Remote Code Execution

• Type: Authenticated RCE
• Severity: Critical
• CVSS Score: 9.8
• Description: An authenticated, remote attacker can execute arbitrary code on devices running WebVPN on ASA/FTD platforms.
• Impact: Complete system compromise.

CVE-2025-20363 – HTTP Service Remote Code Execution

• Type: RCE via HTTP
• Severity: Critical
• CVSS Score: 9.8
• Description: A vulnerability in HTTP services could allow unauthenticated (ASA/FTD) or authenticated (IOS/IOS XE/IOS XR) attackers to execute arbitrary code.
• Impact: Remote takeover across multiple Cisco platforms.

CVE-2025-20362 – WebVPN Access Control Bypass

• Type: Unauthenticated access
• Severity: Medium
• CVSS Score: 6.5
• Description: Attackers may access restricted URL paths in WebVPN without authentication.
• Impact: Data exposure, unauthorised service access.

Mitigation

• Use the Cisco Software Checker to confirm if your ASA/FTD versions are affected and determine the required upgrade path.
• Apply the security updates released by Cisco to all affected devices immediately.
• Investigate devices for signs of compromise, following Cisco’s guidance for checking ROMMON integrity, especially on ASA software versions 9.12 and 9.14.
• Monitor connected environments for potential malicious activity originating from or targeting affected devices.
• Treat any device suspected of compromise as untrusted and follow Cisco’s official remediation procedures.
• No viable workarounds exist. Patching is mandatory.

Summary for IT Teams

• Products: Cisco ASA Software, Cisco FTD Software
• Threat Level: Critical
• Action Required:
  • Identify and apply patches to all affected ASA and FTD software installations.
  • Proactively hunt for indicators of compromise using Cisco’s published guidance.
  • Audit firewall configurations and monitor logs for unusual activity.
  • Isolate potentially compromised devices from the production network until they can be fully remediated.

Reference

• ASD Advisory

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.