Full Report
Cisco has issued a critical warning about ongoing attacks targeting a severe remote code execution vulnerability affecting its Secure Firewall, Adaptive Security Appliance, and Threat Defense Software. The company updated its security advisory on November 5, 2025, revealing that threat actors have discovered a new attack variant capable of fully compromising devices on unpatched systems. […] The post Cisco Confirms Active Exploitation of Secure ASA and FTD RCE Vulnerability appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Analysis Summary
# Vulnerability: Critical RCE in Cisco Secure Firewall/ASA/FTD WebVPN
## CVE Details
- CVE ID: CVE-2025-20333
- CVSS Score: 9.9 (Critical)
- CWE: CWE-120 (Buffer Overflow)
## Affected Systems
- Products: Cisco Secure Firewall ASA Software, Cisco Secure Firewall FTD Software
- Versions: Unspecified vulnerable versions (must consult Cisco advisory for specific remediation versions)
- Configurations: VPN features enabled, including AnyConnect IKEv2 Remote Access with client services, Mobile User Security implementations, and SSL VPN deployments.
## Vulnerability Description
The vulnerability resides in the web server component of both Cisco Secure ASA and Secure FTD platforms. It is a buffer overflow flaw caused by improper input validation in HTTP requests. Successful exploitation allows an authenticated remote attacker to execute arbitrary code with root privileges on the affected device. A new attack variant was discovered that specifically causes unpatched devices to reload, resulting in a Denial of Service (DoS) condition.
## Exploitation
- Status: Exploited in the wild (New attack variant confirmed in early November 2025)
- Complexity: Medium (Requires valid VPN user credentials)
- Attack Vector: Network
## Impact
- Confidentiality: High (Root access allows data exfiltration and modification)
- Integrity: High (Ability to modify firewall rules and establish persistence)
- Availability: High (Confirmed ability to cause device reload/DoS)
## Remediation
### Patches
- **Action Required:** Cisco has released fixed software versions. Customers must upgrade immediately. Specific fixed versions should be checked via the official Cisco advisory (CSCwq79831).
### Workarounds
- No workarounds are available to mitigate this vulnerability; patching is the only viable remediation.
## Detection
- **Indicators of Compromise (IOCs):** Device unexpected reloads/crashes on vulnerable systems.
- **Detection Methods and Tools:** Customers uncertain about exposure should use Cisco’s Software Checker tool. After patching, review VPN threat-detection configurations to monitor for remote-access VPN login authentication attacks, client-initiated attacks, and invalid VPN service connection attempts.
## References
- Vendor Advisory (Referenced by Bug ID): CSCwq79831
- Vendor Advisory Link (Defanged): hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB