A crucial zero-day vulnerability affecting hundreds of Cisco firewalls is being actively exploited by menace actors within the wild.
The vulnerability, tracked as CVE-2025-20333, poses an instantaneous threat to organizations worldwide with a CVSS rating of 9.9, representing one of the crucial extreme safety flaws found in enterprise firewall infrastructure this yr.
In accordance with knowledge from The Shadowserver Basis, over 48,800 unpatched IP addresses have been recognized on September 29, 2025, with america having acquired probably the most publicity.
The vulnerability impacts Cisco Safe Firewall Adaptive Safety Equipment (ASA) Software program and Cisco Safe Firewall Risk Protection (FTD) Software program, particularly concentrating on the VPN net server part that thousands and thousands of organizations depend on for distant entry capabilities.
Cisco firewalls susceptible
Buffer Overflow Vulnerability (CVE-2025-20333)
The vulnerability stems from improper validation of user-supplied enter in HTTP(S) requests processed by the VPN net server.
Categorized as a CWE-120 buffer overflow, the flaw permits authenticated distant attackers to execute arbitrary code with root privileges on affected units.
This stage of entry primarily grants full management over the firewall, enabling attackers to change safety insurance policies, intercept community site visitors, and set up persistent backdoors.
The assault vector requires legitimate VPN person credentials, which attackers can get hold of by way of varied strategies together with credential stuffing, phishing campaigns, or exploiting weak authentication mechanisms.
As soon as authenticated, attackers can ship specifically crafted HTTP requests containing malicious payloads that overflow reminiscence buffers, permitting shellcode execution within the context of the foundation person.
Cisco’s Product Safety Incident Response Workforce (PSIRT) has confirmed lively exploitation makes an attempt and warns that profitable assaults might lead to full machine compromise.
The vulnerability impacts units operating susceptible releases of ASA or FTD software program with particular configurations enabled, together with AnyConnect IKEv2 Distant Entry, Cell Person Safety (MUS), and SSL VPN providers.
The affected configurations embody crucial enterprise options that organizations rely on for safe distant entry. Weak configurations embody:
AnyConnect IKEv2 Distant Entry with shopper providers enabled
Cell Person Safety (MUS) implementations
SSL VPN deployments
These configurations are commonplace in enterprise environments, notably these supporting distant workforce initiatives.
The vulnerability’s severity is compounded by the truth that Cisco has confirmed no workarounds exist to mitigate the danger with out making use of safety patches.
Lacking Authorization Flaw (CVE-2025-20362)
A secondary vulnerability, CVE-2025-20362 (CVSS 6.5), accompanies the first flaw and permits unauthenticated attackers to entry restricted VPN endpoints that ought to require authentication.
This unauthorized entry vulnerability, labeled as CWE-862 (Lacking Authorization), can function a reconnaissance software for attackers planning extra refined assaults.
CVETitleCVSS 3.1 ScoreSeverityCVE-2025-20333VPN Net Server Distant Code Execution Vulnerability9.9CriticalCVE-2025-20362VPN Net Server Unauthorized Entry Vulnerability6.5Medium
Cisco has launched emergency safety updates addressing each vulnerabilities and strongly recommends fast patching.
Organizations ought to prioritize these updates given the lively exploitation and the crucial nature of affected programs.
The corporate additionally advises reviewing menace detection configurations for VPN providers to reinforce safety in opposition to authentication assaults and unauthorized connection makes an attempt.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
