CVE-2025-20333
Published: 25 September 2025
Summary
CVE-2025-20333 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of known flaws like CVE-2025-20333 through patching, directly preventing exploitation of the VPN web server vulnerability.
SI-10 mandates validation of user-supplied inputs in HTTP(S) requests, comprehensively addressing the improper input validation causing arbitrary code execution.
SI-4 enables monitoring for indicators of crafted HTTP requests or exploitation attempts on the VPN web server, allowing detection of ongoing attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via crafted HTTP requests to public-facing VPN web server enables T1190; authenticated low-priv user to root execution enables T1068.
NVD Description
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability…
more
is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device.
Deeper analysisAI
CVE-2025-20333 is a vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. Published on 2025-09-25, it arises from improper validation of user-supplied input in HTTP(S) requests and is associated with CWE-120. The issue has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An authenticated remote attacker with valid VPN user credentials can exploit this vulnerability by sending crafted HTTP requests to an affected device. Successful exploitation allows the attacker to execute arbitrary code as root, potentially resulting in the complete compromise of the device.
Cisco has published a security advisory detailing the vulnerability at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB. Additional resources include information on continued attacks against ASA and FTD at https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20333.
Details
- CWE(s)
- KEV Date Added
- 25 September 2025