On September 25, 2025, Cisco warned that it had discovered two zero-day vulnerabilities in Cisco ASA (Adaptive Security Appliance) that are being exploited in the wild. In this post, we examine the threats and impacts of CVE-2025-20333 and CVE-2025-20362, and discuss recommended security mitigations.
CVE-2025-20333 · CVE-2025-20362: Cisco ASA Zero-Day Vulnerabilities
One of the Cisco ASA zero-day vulnerabilities, CVE-2025-20333, allows an authenticated remote attacker to execute arbitrary code on devices running vulnerable Cisco ASA and Cisco Secure Firewall Threat Defense software. This vulnerability stems from improper validation of user-supplied input in the VPN web server’s handling of HTTP(S) requests; if successfully exploited, an attacker could gain full control of the system with root privileges. The other vulnerability, CVE-2025-20362, is an authentication-bypass that allows a remote attacker to access restricted URL endpoints without authentication. When combined, these two flaws can have catastrophic consequences for enterprise networks.
The Cisco Product Security Incident Response Team (PSIRT) has acknowledged active exploitation of the two vulnerabilities and stated that it is coordinating response efforts with government agencies. Attackers have reportedly been continuously scanning for ASA login portals and other entry points as part of large-scale scanning campaigns, making immediate patching imperative.
The severity of the Cisco ASA zero-day vulnerabilities is underscored by CISA’s emergency guidance. The U.S. CISA has issued an urgent directive instructing all agencies to immediately mitigate exposure to these vulnerabilities and assess whether their systems have been compromised. Accordingly, organizations should inventory their Cisco ASA and Firepower devices, evaluate for signs of compromise, and apply the latest updates without delay.
Criminal IP-Based Threat Hunting: Results for Exposed Cisco Secure Firewall Threat Defense (FTD) Assets
Using the “/+CSCOE+/logon.html” query in Criminal IP, the threat intelligence search engine, exposed Cisco Secure Firewall Threat Defense assets on the public internet can be analyzed.
Criminal IP Search Query: “/+CSCOE+/logon.html”
A search in Criminal IP using the “/+CSCOE+/logon.html” query identified 91,139 exposed Cisco Secure Firewall Threat Defense (FTD) assets. This means more than 90,000 devices worldwide are exposed to the public internet and, if unpatched, could be direct targets of ongoing attacks exploiting the Cisco ASA zero-day vulnerabilities.
By using Criminal IP’s Element Analysis, you can view detailed country-level statistics of exposed Cisco Secure Firewall Threat Defense (FTD) assets.
Exposed assets were identified in over 80 countries, with the United States leading at 30,570. Germany followed with 5,888, and the United Kingdom with 5,054.
Detailed Analysis of Cisco Secure Firewall Threat Defense (FTD) Assets Exposed to the Zero-Day Vulnerabilities
Among the exposed assets identified by the Criminal IP search engine, the report page for a given IP address provides detailed information such as open ports and vulnerability status.
This image is one of the search results for assets that may be affected by the Cisco zero-day vulnerabilities. Ports 22, 443, and 8443 were found open, and three vulnerabilities were identified. The tags at the top of the IP scoring section in the report also clearly indicate an SSL VPN device — SSL VPNs can serve as a primary attack vector for CVE-2025-20333.
This indicates that remote-access VPN functionality is enabled and exposed to the internet, providing attackers with a direct vector to bypass authentication and take control of the system.
Assets exposed to these threats can be targeted by attackers in real-time. In response, it is important to actively leverage a threat hunting search engine and take preemptive action based on the following guidelines.
CVE-2025-20333 · CVE-2025-20362 Exploitation Prevention and Response Guide
These Cisco zero-day flaws present a maximum level of risk, requiring the immediate execution of the following security response strategies.
- Emergency Application of Official Security Patches: Update and apply patches using the Fixed Software released by Cisco immediately
- Identify and Control Vulnerable Components: Disable VPN web server-related features—such as AnyConnect IKEv2 Remote Access, SSL VPN, and Mobile User Security—if they are not necessary
- Activate Threat Detection Capabilities: Utilize proactive detection tools, such as Criminal IP ASM (Attack Surface Management), and maintain continuous monitoring
- Detect External Exposure: Continuously detect the external exposure of core firewall systems using the Criminal IP Threat Intelligence solution
FAQ
Q1 What is the risk associated with these Cisco zero-day vulnerabilities?
The vulnerabilities disclosed are two-fold: CVE-2025-20333 (Remote Code Execution) and CVE-2025-20362 (Authentication Bypass). If these flaws are exploited, an attacker can use authenticated access privileges to execute arbitrary code on a vulnerable firewall device and gain complete system control (root access). This is a critical issue that can lead to a collapse of the network perimeter, resulting in internal network infiltration and data exfiltration.
Q2 How should we respond to these vulnerabilities?
The most critical action is to immediately update with the Fixed Software released by Cisco. We also recommend proactively utilizing threat hunting tools like Criminal IP to regularly monitor externally exposed assets and disable any unnecessary VPN-related features.
Q3 How can Criminal IP be used to identify exposed assets?
You can use the threat intelligence search engine, Criminal IP, to search for web assets that include the Cisco Secure Firewall Threat Defense login portal using the query: “/+CSCOE+/logon.html”. This allows you to quickly identify the number of systems exposed externally that could be potential targets for attack, enabling you to take proactive measures.
Conclusion
The Cisco Adaptive Security Appliances (ASA) / Cisco Secure Firewall Threat Defense (FTD) zero-day vulnerabilities directly threaten core enterprise infrastructure. Given the real-world exploitation and reported incidents, it is critical to respond with immediate patching and proactive defense. All organizations operating Cisco firewall-based systems must complete patching immediately and proactively utilize TI/ASM solutions like Criminal IP to identify and defend against threats ahead of attackers.
In relation to this, you can refer to Next.js Middleware Vulnerability Allows Authentication Bypass: Over 520K Assets at Risk.
Source: Criminal IP (https://www.criminalip.io/), BleepingComputer (Cisco warns of ASA firewall zero-days exploited in attacks.), Cisco (Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability)
Related article: https://www.criminalip.io/knowledge-hub/blog/28102