Cyber Resilience

CVE-2025-20333

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 25 September 2025

Published
25 September 2025
Modified
28 October 2025
KEV Added
25 September 2025
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.2465 96.3th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20333 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software stems from improper validation of user-supplied input in HTTP(S) requests. Tracked as CVE-2025-20333 with a CVSS score of 9.9 and associated with CWE-120, the flaw permits an authenticated remote attacker to send specially crafted requests that result in arbitrary code execution as root on affected devices.

An attacker in possession of valid VPN user credentials can exploit the issue over the network without user interaction to achieve complete compromise of the target appliance. Successful exploitation grants full control of the device, including the ability to execute arbitrary code with the highest privileges.

Cisco has published an advisory detailing the affected versions along with remediation guidance, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The associated EPSS score rose from a low baseline to a peak of 0.4143 before settling at a current value of 0.2655, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability…

more

is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device.

CWE(s)
KEV Date Added
25 September 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

RCE via crafted HTTP requests to public-facing VPN web server enables T1190; authenticated low-priv user to root execution enables T1068.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20362Same product: Cisco Adaptive Security Appliance Softwareboth on KEV
CVE-2026-20100Same product: Cisco Adaptive Security Appliance Software
CVE-2025-20337Same vendor: Ciscoboth on KEV
CVE-2026-20122Same vendor: Ciscoboth on KEV
CVE-2026-20127Same vendor: Ciscoboth on KEV
CVE-2026-20131Same vendor: Ciscoboth on KEV
CVE-2025-20393Same vendor: Ciscoboth on KEV
CVE-2026-20128Same vendor: Ciscoboth on KEV
CVE-2026-20045Same vendor: Ciscoboth on KEV
CVE-2025-20352Same vendor: Ciscoboth on KEV

Affected Assets

cisco
adaptive security appliance software
9.12 — 9.12.4.72 · 9.14 — 9.14.4.28 · 9.16 — 9.16.4.85
cisco
firepower threat defense
7.6.0 · 7.0.0 — 7.0.8.1 · 7.1.0 — 7.2.9 · 7.3.0 — 7.4.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely remediation of known flaws like CVE-2025-20333 through patching, directly preventing exploitation of the VPN web server vulnerability.

prevent

SI-10 mandates validation of user-supplied inputs in HTTP(S) requests, comprehensively addressing the improper input validation causing arbitrary code execution.

detect

SI-4 enables monitoring for indicators of crafted HTTP requests or exploitation attempts on the VPN web server, allowing detection of ongoing attacks.

References