CVE-2025-20333
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-25

Last updated on: 2025-10-28

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-25
Last Modified
2025-10-28
Generated
2026-06-16
AI Q&A
2025-09-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-20333
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
cisco adaptive_security_appliance_software From 9.12 (inc) to 9.12.4.72 (exc)
cisco adaptive_security_appliance_software From 9.14 (inc) to 9.14.4.28 (exc)
cisco adaptive_security_appliance_software From 9.16 (inc) to 9.16.4.85 (exc)
cisco adaptive_security_appliance_software From 9.17.0 (inc) to 9.17.1.45 (exc)
cisco adaptive_security_appliance_software From 9.18 (inc) to 9.18.4.47 (exc)
cisco adaptive_security_appliance_software From 9.19 (inc) to 9.19.1.37 (exc)
cisco adaptive_security_appliance_software From 9.20 (inc) to 9.20.3.7 (exc)
cisco adaptive_security_appliance_software From 9.22 (inc) to 9.22.1.3 (exc)
cisco firepower_threat_defense From 7.0.0 (inc) to 7.0.8.1 (exc)
cisco firepower_threat_defense From 7.1.0 (inc) to 7.2.9 (exc)
cisco firepower_threat_defense From 7.3.0 (inc) to 7.4.2.4 (exc)
cisco firepower_threat_defense 7.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the VPN web server of Cisco Secure Firewall ASA and FTD software. It occurs because the software improperly validates user-supplied input in HTTP(S) requests. An attacker who has valid VPN user credentials can send specially crafted HTTP requests to the device, which could allow them to execute arbitrary code with root privileges, potentially leading to full compromise of the device.

Impact Analysis

If exploited, this vulnerability could allow an attacker to execute arbitrary code as root on the affected device, leading to complete compromise. This means the attacker could take full control of the device, potentially disrupting network security, stealing sensitive information, or using the device to launch further attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-20333. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart