Cyber Resilience

CVE-2025-20362

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 25 September 2025

Published
25 September 2025
Modified
06 November 2025
KEV Added
25 September 2025
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.5094 97.9th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20362 is a medium-severity Missing Authorization (CWE-862) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software stems from improper validation of user-supplied input in HTTP(S) requests. The flaw, tracked as CVE-2025-20362 with CWE-862, enables access to restricted remote-access VPN URL endpoints that should require authentication. It affects devices running releases also covered by the related CVE-2025-20333.

An unauthenticated remote attacker can exploit the issue by sending crafted HTTP requests to the device's web server, gaining access to otherwise protected VPN-related endpoints. A later attack variant observed in November 2025 can additionally trigger unexpected reloads on unpatched devices, producing denial-of-service conditions.

Cisco's advisory directs customers to apply the fixed software releases listed in the advisory and strongly recommends upgrading all affected ASA and FTD installations. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog.

EPSS for the CVE reached a peak of 0.5700 on 2026-04-26 before receding to the current value of 0.4350, indicating elevated exploitation interest after disclosure.

EU & UK References

Vulnerability details

Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and CVE-2025-20362. This attack can cause unpatched devices to…

more

unexpectedly reload, leading to denial of service (DoS) conditions. Cisco strongly recommends that all customers upgrade to the fixed software releases that are listed in the Fixed Software ["#fs"] section of this advisory. A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that are related to remote access VPN that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.

CWE(s)
KEV Date Added
25 September 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
Why these techniques?

Direct auth bypass on public-facing VPN web server enables remote exploitation of exposed application (T1190) and unauthorized access to external remote access services (T1133).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20333Same product: Cisco Adaptive Security Appliance Softwareboth on KEV
CVE-2026-20100Same product: Cisco Adaptive Security Appliance Software
CVE-2025-20337Same vendor: Ciscoboth on KEV
CVE-2026-20127Same vendor: Ciscoboth on KEV
CVE-2026-20131Same vendor: Ciscoboth on KEV
CVE-2025-20393Same vendor: Ciscoboth on KEV
CVE-2026-20128Same vendor: Ciscoboth on KEV
CVE-2026-20045Same vendor: Ciscoboth on KEV
CVE-2025-20352Same vendor: Ciscoboth on KEV
CVE-2025-20363Same product: Cisco Adaptive Security Appliance Software

Affected Assets

cisco
adaptive security appliance software
9.12 — 9.12.4.72 · 9.14 — 9.14.4.28 · 9.16 — 9.16.4.85
cisco
firepower threat defense
7.0.0 — 7.0.8.1 · 7.1.0 — 7.2.10.2 · 7.3.0 — 7.4.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper validation of user-supplied input in HTTP(S) requests that enables unauthorized access to restricted VPN URL endpoints.

prevent

Enforces approved authorizations to block unauthenticated remote access to sensitive VPN-related resources on the web server.

prevent

Remediates the specific flaw in Cisco ASA/FTD VPN web server software through timely patching, preventing exploitation as recommended by Cisco and listed in CISA KEV.

References