CVE-2025-20362
Published: 25 September 2025
Summary
CVE-2025-20362 is a medium-severity Missing Authorization (CWE-862) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software stems from improper validation of user-supplied input in HTTP(S) requests. The flaw, tracked as CVE-2025-20362 with CWE-862, enables access to restricted remote-access VPN URL endpoints that should require authentication. It affects devices running releases also covered by the related CVE-2025-20333.
An unauthenticated remote attacker can exploit the issue by sending crafted HTTP requests to the device's web server, gaining access to otherwise protected VPN-related endpoints. A later attack variant observed in November 2025 can additionally trigger unexpected reloads on unpatched devices, producing denial-of-service conditions.
Cisco's advisory directs customers to apply the fixed software releases listed in the advisory and strongly recommends upgrading all affected ASA and FTD installations. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog.
EPSS for the CVE reached a peak of 0.5700 on 2026-04-26 before receding to the current value of 0.4350, indicating elevated exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31139
Vulnerability details
Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and CVE-2025-20362. This attack can cause unpatched devices to…
more
unexpectedly reload, leading to denial of service (DoS) conditions. Cisco strongly recommends that all customers upgrade to the fixed software releases that are listed in the Fixed Software ["#fs"] section of this advisory. A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that are related to remote access VPN that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.
- CWE(s)
- KEV Date Added
- 25 September 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct auth bypass on public-facing VPN web server enables remote exploitation of exposed application (T1190) and unauthorized access to external remote access services (T1133).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper validation of user-supplied input in HTTP(S) requests that enables unauthorized access to restricted VPN URL endpoints.
Enforces approved authorizations to block unauthenticated remote access to sensitive VPN-related resources on the web server.
Remediates the specific flaw in Cisco ASA/FTD VPN web server software through timely patching, preventing exploitation as recommended by Cisco and listed in CISA KEV.