Overview
On September 25, 2025, Cisco published advisories for three notable vulnerabilities affecting many different Cisco products. Two of these vulnerabilities, CVE-2025-20333 and CVE-2025-20362, are known to be exploited in the wild, and CVE-2025-20363 is at high risk for exploitation in the wild. Patches are available for all three vulnerabilities, and Cisco does not recommend any workarounds, so customers are advised to urgently update any vulnerable systems to the latest available software versions.
CVE-2025-20333
CVE-2025-20333 is a buffer overflow (CWE-120) web service vulnerability that affects Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD). When CVE-2025-20333 is exploited, the result is root-level remote code execution (RCE) on the affected system. Cisco stated that attempted exploitation in the wild has been observed, and CVE-2025-20333 was added to CISA’s KEV catalog the same day the advisory was published.
The Cisco advisory for CVE-2025-20333 states that the vulnerability is authenticated, requiring valid VPN user credentials. However, CISA’s KEV entry for CVE-2025-20333 explicitly states that it can be chained with the missing authorization vulnerability CVE-2025-20362, which is unauthenticated. As such, it would be reasonable to assume that it’s possible to exploit CVE-2025-20333 without credentials by chaining it with CVE-2025-20362.
CVE-2025-20362
CVE-2025-20362 is a missing authorization (CWE-862) web service vulnerability that affects Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD). When CVE-2025-20362 is exploited, an unauthenticated attacker can access restricted URL endpoints that would otherwise require authentication. As mentioned above, CVE-2025-20362 exploitation attempts in the wild were confirmed by Cisco, and the vulnerability was added to CISA KEV; the CISA KEV entry explicitly states that CVE-2025-20362 can be chained with CVE-2025-20333.
CVE-2025-20363
CVE-2025-20363 is a heap-based buffer overflow (CWE-122) web service vulnerability that affects Cisco Secure Firewall Adaptive Security Appliance (ASA), Secure Firewall Threat Defense (FTD), IOS, IOS XE, and IOS XR. When Cisco ASA or FTD are exploited, credentials are not required; when Cisco IOS, IOS XE, or IOS XR are exploited, low-privilege credentials are required. In all scenarios, the result is root-level RCE on the affected system.
Analysis
On October 6, 2025, Rapid7 Labs published a root cause analysis for the exploit chain comprising the authentication bypass, CVE-2025-20362, and the buffer overflow, CVE-2025-20333.
Key findings show that CVE-2025-20362 is a trivial to exploit path traversal vulnerability, due to a path normalization issue. This new path traversal vulnerability is a patch bypass of an older vulnerability, CVE-2018-0296.
CVE-2025-20333 was found to be a heap based buffer overflow vulnerability in a Lua endpoint that is non trivial to exploit.
You can read our full technical analysis on AttackerKB.
Mitigation guidance
A vendor-supplied update is available to remediate CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363. Customers with affected Cisco systems are advised to update to the latest version on an urgent basis.
Affected configurations
Cisco has shared the following information to determine whether an unpatched system is potentially vulnerable to CVE-2025-20363:
Cisco Secure Firewall ASA, if one of the following conditions is true:
Mobile User Security (MUS) is enabled
SSL VPN is enabled
Cisco Secure Firewall FTD, if the following condition is true:
AnyConnect SSL VPN is enabled
Cisco IOS, if the following condition is true:
The command show running-config | section webvpn returns output that includes the command inservice on a separate line, indicating that Remote Access SSL VPN is configured
Cisco IOS XE, if the following condition is true:
The command show running-config | section crypto ssl policy returns any policy that does not contain the command shutdown on a separate line, indicating that Remote Access SSL VPN is configured
Cisco IOS XR, if all of the following conditions are true:
The device is a Cisco ASR 9001 Router
The command run uname -s returns output that contains the string “QNX”
The command show running-config | include http server returns any output
Cisco has shared the following information to determine whether an unpatched system is potentially vulnerable to CVE-2025-20333 and CVE-2025-20362:
Cisco Secure Firewall ASA, if one of the following conditions is true:
AnyConnect IKEv2 Remote Access (with client services) is enabled
Mobile User Security (MUS) is enabled
SSL VPN is enabled
Cisco Secure Firewall FTD, if one of the following conditions is true:
AnyConnect IKEv2 Remote Access (with client services) is enabled
AnyConnect SSL VPN is enabled
Affected versions
The CVE entry for CVE-2025-20363 lists over 2,500 versions as affected, so defenders are advised to refer to the interactive Cisco Software Checker tool and the CVE details to establish whether a given version is affected.
The CVE entry for CVE-2025-20333 lists the following branches as having affected versions:
Cisco ASA:
9.8.x
9.12.x
9.14.x
9.16.x
9.17.x
9.18.x
9.19.x
9.20.x
9.22.x
Cisco FTD:
6.2.x
6.4.x
6.6.x
7.0.x
7.1.x
7.2.x
7.3.x
7.4.x
7.6.x
The CVE entry for CVE-2025-20362 lists the following branches as having affected versions:
Cisco ASA:
9.8.x
9.12.x
9.14.x
9.16.x
9.17.x
9.18.x
9.19.x
9.20.x
9.22.x
9.23.x
Cisco FTD:
6.2.x
6.4.x
6.6.x
7.0.x
7.1.x
7.2.x
7.3.x
7.4.x
7.6.x
7.7.x
For the latest information and mitigation guidance, please refer to the vendor security advisories.
Rapid7 customers
InsightVM and Nexpose
InsightVM and Nexpose customers can assess exposure to CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363 on all affected Cisco devices using vulnerability checks available in the September 25 content release.
Updates
- September 26, 2025: The Rapid7 customers section was updated to confirm that VM checks were shipped on September 25, 2025.
- October 7, 2025: Added the Analysis section to reference the findings from our AttackerKB Rapid7 Analysis.
