Cisco has launched advisories for a zero-day exploit chain affecting its Safe Firewall Adaptive Safety Equipment (ASA) and Safe Firewall Menace Protection (FTD) software program, which is reportedly being utilized in extremely focused assaults by an unknown risk actor.
In accordance with Rapid7, the exploit chain combines two vulnerabilities, CVE-2025-20362 and CVE-2025-20333, to realize unauthenticated distant code execution (RCE) on susceptible units.
A 3rd vulnerability, CVE-2025-20363, was additionally patched, however proof suggests solely the primary two are actively used within the assault chain.
The core of the difficulty lies inside the clientless VPN (WebVPN) function, permitting an attacker to bypass authentication after which set off a reminiscence corruption flaw.
The Two-Stage Exploit Chain
The assault begins with CVE-2025-20362, an authentication bypass vulnerability attributable to a path traversal flaw. This vulnerability permits an unauthenticated, distant attacker to entry restricted URL endpoints that ought to usually require authentication.
The flaw is a variant of a beforehand found vulnerability, CVE-2018-0296. Attackers can exploit this by sending a specifically crafted HTTP request, comparable to CSCOU…CSCOE, to the system’s internet server.
This bypasses safety checks and grants entry to authenticated endpoints, setting the stage for the second a part of the assault. A profitable bypass could be recognized if the server responds with “CSRF token mismatch” or “Didn’t add file”.
As soon as authentication is bypassed, the attacker leverages CVE-2025-20333, a buffer overflow vulnerability inside the WebVPN function’s file add dealing with course of.
This flaw, categorized as CWE-120 (Buffer Copy with out Checking Measurement of Enter), is positioned in a Lua script that processes file uploads. Particularly, the script fails to validate the dimensions of the “boundary” worth in an HTTP request.
By sending a request with a boundary string bigger than the allotted 8192-byte buffer, an attacker can overflow it by calling the HTTPCONTENTTOBUFFER operate with a size higher than the buffer’s capability.
This reminiscence corruption could be triggered by way of the CSCOEfilesfileaction.html endpoint, which turns into accessible because of the preliminary authentication bypass, in accordance with Rapid7 evaluation.
Mitigations
The profitable chaining of those two vulnerabilities leads to unauthenticated RCE, giving an attacker full management over an affected Cisco firewall.
The exploit is non-trivial however has been confirmed to be lively within the wild, resulting in system crashes and reboots on susceptible units. The vulnerability is because of improper validation of user-supplied enter in HTTP(S) requests.
Each Cisco ASA and FTD software program are affected when the clientless VPN (WebVPN) portal is enabled. Cisco has launched patched software program variations, together with ASAv model 9.16.4.85, to handle these important vulnerabilities.
Directors are strongly urged to replace their techniques instantly to forestall potential exploitation.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
