Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Authenticated root RCE in Cisco ASA/FTD VPN web server

IdentifiersCVE-2025-20333CWE-20

CVE-2025-20333 is a vulnerability in the VPN web server component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. The issue is caused by improper validation of user-supplied input in HTTP(S) requests. An authenticated remote attacker with valid VPN user credentials can send crafted HTTP requests to an affected device and trigger arbitrary code execution on the appliance. Cisco states successful exploitation can result in code execution as root, leading to full compromise of the affected device. Multiple supporting reports place the vulnerable surface in the WebVPN/VPN web server request-handling path, and note exploitation in the wild as part of campaigns deploying FIRESTARTER and related tooling.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution as root on the affected Cisco security appliance. This can result in complete compromise of the device, including takeover of the firewall/VPN platform, execution of malicious commands, deployment of implants or persistence mechanisms, interception or manipulation of traffic handled by the appliance, theft of sensitive configuration material and credentials, and use of the device as a foothold for further intrusion into internal networks. Supporting reporting also indicates exploitation has been associated with malware deployment and, in some cases, denial-of-service conditions on unpatched devices.

Mitigation

If you can’t patch tonight, do this now.

Until patching and full remediation can be completed, reduce exposure of the VPN web server/WebVPN interface to only necessary networks, restrict management and VPN access paths, and limit valid VPN accounts to the minimum required. Enforce strong authentication controls for VPN users, monitor for anomalous crafted HTTP(S)/WebVPN requests and suspicious process or file artifacts associated with known post-exploitation activity, and follow Cisco/CISA detection guidance including memory or core-dump analysis where compromise is suspected. If there is evidence of FIRESTARTER-style persistence, normal rebooting or patching may be insufficient; follow vendor and CISA incident-response guidance, which may include reimaging and hard power-cycle procedures for eradication.

Remediation

Patch, then assume compromise.

Apply Cisco’s fixed software releases for affected Cisco Secure Firewall ASA and FTD versions as provided in Cisco’s security advisory for CVE-2025-20333. Because this vulnerability has been reported as exploited in the wild and post-compromise persistence such as FIRESTARTER may survive normal patching, remediation should not stop at software upgrade alone if compromise is suspected. For potentially compromised devices, follow Cisco and CISA guidance to collect forensic artifacts, assess for indicators of compromise, and reimage or otherwise perform vendor-recommended eradication steps before returning the device to service. Treat device configuration and credentials as potentially exposed after confirmed compromise and rotate or re-establish trust as appropriate.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Cisco SystemsAdaptive Security Appliance Softwareoperating_system
Cisco SystemsFirepower Threat Defenseapplication
Cisco SystemsSecure Firewall Asa Softwareapplication
Cisco SystemsSecure Firewall Ftd Softwareapplication
Cisco SystemsSecure Firewall Threat Defense Softwareapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

336 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

336 SOURCESView more in app
cyber security newsNews
May 22, 2026
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Cisco ASA/AnyConnect VPN vulnerability used for initial access into internal networks.

Read more
malware newsNews
May 22, 2026
From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence - Malware News - Malware Analysis, News and Indicators

A Cisco firewall and VPN zero-day vulnerability mentioned in references as part of the broader trend of edge-device exploitation.

Read more
microsoft security blogNews
May 22, 2026
From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence | Microsoft Security Blog

A Cisco firewall and VPN zero-day vulnerability referenced in related context about edge-device exploitation trends.

Read more
sdxcentral cybersecurityNews
May 12, 2026
Cisco to plug leaky legacy ware with Resilient Infrastructure service - SDxCentral

A remote code execution vulnerability in Cisco firewall offerings that may have enabled unauthorized access as part of the ArcaneDoor campaign.

Read more
+40 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence28

Every observed campaign linking this CVE to a named adversary.

Associated malware45

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity152

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-20333
NVD
nvd.nist.gov/vuln/detail/CVE-2025-20333
MITRE CWE · CWE-20
cwe.mitre.org
Vendor Advisory
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
Vendor Advisory
sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20333