Emergency Security Bulletin: Cisco ASA / FTD VPN Web Server Remote Code Execution Vulnerability

featured image

By: RedLegg's Cyber Threat Intelligence Team

About:

CVE-2025-20333 is a critical remote code execution vulnerability in Cisco ASA and FTD VPN web servers, allowing authenticated attackers to execute arbitrary commands with root privileges via crafted HTTPS requests.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.


VULNERABILITIES

Cisco ASA / FTD VPN Web Server Remote Code Execution Vulnerability

CVSS Score: 9.9 (Critical)
Identifier: CVE-2025-20333  
Exploit or Proof of Concept (PoC): Yes — attempted exploitation has been observed in the wild
Update: CVE-2025-20333 – Cisco Security Advisory 

Description:  

CVE-2025-20333 is a critical remote code execution vulnerability in the VPN web server component of Cisco Secure Firewall ASA and Cisco Secure Firewall Threat Defense (FTD) software. The flaw results from improper validation of specially crafted HTTP(S) requests directed at the VPN web interface. An attacker with valid VPN user credentials may trigger this vulnerability by submitting malicious payloads, potentially leading to root-level command execution on the firewall.

Mitigation Recommendation:   

Upgrade immediately to the fixed ASA/FTD software versions listed in the Cisco advisory. Because there are no reliable workarounds, treat this as a top-priority patch. Additionally, restrict access to VPN web interfaces, monitor for exploit traffic patterns, and review logs for anomalous HTTP requests with overflow signatures.