CVE-2025-20333
CVE-2025-20333
In short
A flaw in Cisco Secure Firewall's VPN web server fails to properly validate user input in web requests, allowing someone with valid VPN credentials to send malicious requests and run any code with root privileges on the device.
Technical detail
CWE-120 (buffer overflow/improper input validation) in the VPN web server of Cisco ASA and FTD allows authenticated remote attackers to execute arbitrary code with root privileges via crafted HTTP(S) requests. Exploitation requires valid VPN credentials and results in complete device compromise.
Summary generated and translated by AI from the official description.
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device.
This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
Cisco · Cisco Secure Firewall Adaptive Security Appliance (ASA) SoftwareCisco · Cisco Secure Firewall Threat Defense (FTD) Softwarepublic PoCs found — 1
githubgithub.com/curtishoughton/Cisco-ASA-CVE-2025-20333-Scanner★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →