Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Authenticated root RCE in Cisco Secure Firewall ASA/FTD VPN web server

IdentifiersCVE-2025-20333CWE-120· Buffer Copy without Checking Size…

CVE-2025-20333 is a critical buffer overflow vulnerability in the VPN web server component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. The flaw is caused by improper validation of user-supplied input in HTTP(S) requests processed by the WebVPN service. According to the provided content, attacker-controlled request data can be copied into an internal buffer without adequate bounds checking, allowing memory corruption and potential overwrite of adjacent structures or control data. A remote attacker with valid VPN user credentials can exploit the issue by sending crafted HTTP requests to an affected device. Successful exploitation can result in arbitrary code execution as root on the appliance.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to full compromise of the affected Cisco ASA or FTD device. Because code execution occurs as root, an attacker can take complete control of the firewall or VPN appliance, access or alter configuration and credentials, interfere with logging, deploy follow-on malware or persistence mechanisms, and use the device as a pivot point for further intrusion or data access. The content also notes confirmed in-the-wild exploitation and association with broader post-exploitation activity on Cisco perimeter devices.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the VPN web server by restricting WebVPN access with ACLs or other network controls, limiting access to trusted source ranges, and disabling WebVPN where operationally feasible. Increase logging and monitoring around WebVPN HTTP(S) activity and VPN authentication events, preserve forensic artifacts, and rotate credentials associated with VPN access. For suspected compromise, isolate the device and follow Cisco/CISA incident response guidance.

Remediation

Patch, then assume compromise.

Apply Cisco's fixed software releases for affected Cisco Secure Firewall ASA and FTD versions as identified in Cisco's September 2025 security advisory. Organizations should use Cisco's Software Checker or equivalent vendor guidance to determine exposure and upgrade all affected devices immediately. If compromise is suspected, patching alone may not be sufficient to remove post-exploitation implants referenced in the content; affected devices should be investigated for persistence and reimaged or otherwise remediated in accordance with Cisco and CISA guidance.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Cisco SystemsAdaptive Security Appliance Softwareoperating_system
Cisco SystemsFirepower Threat Defenseapplication
Cisco SystemsSecure Firewall Asa Softwareapplication
Cisco SystemsSecure Firewall Ftd Softwareapplication
Cisco SystemsSecure Firewall Threat Defense Softwareapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

340 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

340 SOURCESView more in app
cyber security newsNews
May 22, 2026
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Cisco ASA/AnyConnect VPN vulnerability used for initial access into internal networks.

Read more
malware newsNews
May 22, 2026
From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence - Malware News - Malware Analysis, News and Indicators

A Cisco firewall and VPN zero-day vulnerability mentioned in references as part of the broader trend of edge-device exploitation.

Read more
microsoft security blogNews
May 22, 2026
From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence | Microsoft Security Blog

A Cisco firewall and VPN zero-day vulnerability referenced in related context about edge-device exploitation trends.

Read more
sdxcentral cybersecurityNews
May 12, 2026
Cisco to plug leaky legacy ware with Resilient Infrastructure service - SDxCentral

A remote code execution vulnerability in Cisco firewall offerings that may have enabled unauthorized access as part of the ArcaneDoor campaign.

Read more
+40 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence29

Every observed campaign linking this CVE to a named adversary.

Associated malware47

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity152

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-20333
NVD
nvd.nist.gov/vuln/detail/CVE-2025-20333
MITRE CWE · CWE-120
Buffer Copy without Checking Size of Input…
Vendor Advisory
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
Vendor Advisory
sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20333