Active Exploitation of Multiple Vulnerabilities in Cisco Products

26 September 2025

Cisco has released security updates addressing multiple vulnerabilities (CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363) in their ASA, FTD and IOS products.

Background

Cisco has released security updates addressing multiple vulnerabilities (CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363) in their Adaptive Security Appliance Software (ASA), Secure Firewall Threat Defense (FTD) and Internetworking Operating System (IOS) products. These vulnerabilities stem from improper validation of user-supplied input in HTTP(S) requests.

Impact

CVE-2025-20333: An authenticated attacker with valid VPN user credentials could exploit this vulnerability to execute arbitrary code as root, resulting in complete compromise of the affected device. This vulnerability has a CVSSv3.1 score of 9.9.

CVE-2025-20362: An unauthenticated attacker could exploit this vulnerability to access restricted URL endpoints that would otherwise require authentication. This vulnerability has a CVSSv3.1 score of 6.5.

CVE-2025-20363: An unauthenticated attacker could exploit this vulnerability to execute arbitrary code as root, resulting in complete compromise of the affected device. For Cisco IOS, IOS XE, and IOS XR Software, authentication is required for exploitation. This vulnerability has a CVSSv3.1 score of 9.0.

Known Exploitation

CVE-2025-20333 and CVE-2025-20362 are reportedly under widespread exploitation in the wild. Cisco notes that these vulnerabilities have been exploited to compromise Cisco ASA 5500-X Series devices with VPN web services enabled, resulting in malware implantation, command execution, and potential data exfiltration.

Administrators of these products are advised to follow Cisco's detailed guidance on detection and recovery steps found here:

https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks

Affected Products

The following Cisco ASA and FTD Software versions are affected by these vulnerabilities when running a vulnerable version with one or more vulnerable configurations (IKEv2 Remote Access, Mobile User Security and SSL VPN):

Cisco ASA Software releases 9.12 to 9.23x;

Cisco FTD Software releases 7.0 to 7.7x;

CVE-2025-20363 also affects the following products:

IOS Software, if the Remote Access SSL VPN feature has been enabled;

IOS-XE Software, if the Remote Access SSL VPN feature has been enabled; and

IOS-XR Software (32-bit), if running on Cisco ASR 9001 Routers with the HTTP server enabled.

The Cisco Software Checker may be used to determine whether a specific software version is vulnerable.

Mitigation

Administrators of affected Cisco products are advised to update to the latest version immediately.

As a short term measure, administrators can mitigate risk by disabling all SSL/TLS-based VPN web services, such as disabling IKEv2 client services and disabling all SSL VPN services. Please refer to Cisco's guidance here.

Administrators of Cisco Secure Firewall ASA appliances are also advised to review Cisco's guidance on on enabling protections from remote access VPN login authentication attacks, client initiation attacks, and attempts to connect to an invalid VPN service.