CVE-2025-20333
Published: 25 September 2025
Summary
CVE-2025-20333 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software stems from improper validation of user-supplied input in HTTP(S) requests. Tracked as CVE-2025-20333 with a CVSS score of 9.9 and associated with CWE-120, the flaw permits an authenticated remote attacker to send specially crafted requests that result in arbitrary code execution as root on affected devices.
An attacker in possession of valid VPN user credentials can exploit the issue over the network without user interaction to achieve complete compromise of the target appliance. Successful exploitation grants full control of the device, including the ability to execute arbitrary code with the highest privileges.
Cisco has published an advisory detailing the affected versions along with remediation guidance, and the vulnerability appears in CISA's Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The associated EPSS score rose from a low baseline to a peak of 0.4143 before settling at a current value of 0.2655, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31140
Vulnerability details
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability…
more
is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device.
- CWE(s)
- KEV Date Added
- 25 September 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via crafted HTTP requests to public-facing VPN web server enables T1190; authenticated low-priv user to root execution enables T1068.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely remediation of known flaws like CVE-2025-20333 through patching, directly preventing exploitation of the VPN web server vulnerability.
SI-10 mandates validation of user-supplied inputs in HTTP(S) requests, comprehensively addressing the improper input validation causing arbitrary code execution.
SI-4 enables monitoring for indicators of crafted HTTP requests or exploitation attempts on the VPN web server, allowing detection of ongoing attacks.