Back to KEVs

CVE-2025-20333

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense...

Basic Information

CVE State
PUBLISHED
Reserved Date
October 10, 2024
Published Date
September 25, 2025
Last Updated
February 26, 2026
Vendor
Cisco
Product
Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software
Description
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device.
Tags
cisa

CVSS Scores

CVSS v3.1

9.9 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 10:41:10 UTC) Source

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 10:41:10 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel