Cisco Warns Of Hackers Actively Exploiting Asa And Ftd 0-day Rce...

Cisco has confirmed that threat actors are actively exploiting a critical remote code execution (RCE) flaw in its Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) software.

First disclosed on September 25, 2025, the vulnerability tracked as CVE-2025-20333 poses a severe risk to organizations relying on these firewalls for VPN access. With a CVSS score of 9.9, it enables authenticated attackers to run arbitrary code with root privileges, potentially leading to full device compromise.

The issue stems from inadequate validation of user-supplied input in the VPN web server’s handling of HTTP(S) requests. An attacker armed with valid VPN credentials can craft malicious requests to trigger the flaw, bypassing normal safeguards and executing code that could exfiltrate data, install malware, or pivot deeper into networks.

Cisco’s advisory, updated November 5, 2025, reveals a new attack variant targeting unpatched systems, causing devices to reload unexpectedly and triggering denial-of-service (DoS) disruptions.

This escalation underscores the urgency, as real-world exploits have already surfaced in the wild, according to Cisco’s Event Response team.

At its core, CVE-2025-20333 exploits a buffer overflow (CWE-120) in the webvpn component, active when certain remote access features are enabled.

For ASA software, vulnerable setups include AnyConnect IKEv2 with client services, Mobile User Security (MUS), or basic SSL VPN configurations via commands like “webvpn enable .”

FTD devices face similar risks through IKEv2 remote access or SSL VPN enabled in management interfaces like Cisco Secure Firewall Management Center.

Only devices with enabled SSL listen sockets for these features are exposed; Cisco Secure FMC Software remains unaffected.

No workarounds exist, leaving upgrades as the sole defense. Cisco urges immediate patching to fixed releases listed in the advisory, such as ASA 9.18.4.19 or FTD 7.4.2.