Brand ClaimErleben, was verbindet

Advisory 2025-1984 - Cisco ASA, FTD, IOS, IOS XE, IOS XR: Multiple Vulnerabilities

Achtung: You can now also find information from the Vulnerability Advisory Service in the CTI portal!
The CTI portal is available at the following address: https://cti-portal.telekom.net/advisories/2025-1984
Notice: This advisory is by exception shown completely public. You will regularly receive details on vulnerability information as a customer via your login or through our daily advisory e-mail.
5
Attack probability
high
5
Potential damage
high
remote anonymous attackerremote authenticated attackerExploit available
Date
2025-09-26
Release
2025-09-26

Operating System

  • CISCO Appliance

Software

  • Cisco ASA (Adaptive Security Appliance)
  • Cisco ASA (Adaptive Security Appliance) < 9.12.4.72
  • Cisco ASA (Adaptive Security Appliance) < 9.14.4.28
  • Cisco ASA (Adaptive Security Appliance) < 9.16.4.85
  • Cisco ASA (Adaptive Security Appliance) < 9.18.4.67
  • Cisco ASA (Adaptive Security Appliance) < 9.20.4.10
  • Cisco ASA (Adaptive Security Appliance) < 9.22.2.14
  • Cisco ASA (Adaptive Security Appliance) < 9.23.1.19
  • Cisco IOS
  • Cisco IOS XE
  • Cisco IOS XR
  • Cisco Secure Firewall Threat Defense
  • Cisco Secure Firewall Threat Defense < 7.0.8.1
  • Cisco Secure Firewall Threat Defense < 7.2.10.2
  • Cisco Secure Firewall Threat Defense < 7.4.2.4
  • Cisco Secure Firewall Threat Defense < 7.6.2.1
  • Cisco Secure Firewall Threat Defense < 7.7.10.1

Attack

A remote authenticated or anonymous attacker can exploit multiple vulnerabilities in Cisco ASA (Adaptive Security Appliance), Cisco Secure Firewall Threat Defense, Cisco IOS, Cisco IOS XE and Cisco IOS XR in order to bypass authentication and execute arbitrary code with administrative rights.

Description

The Cisco ASA provides application security functions, e.g. firewall and VPN. Cisco Secure Firewall Threat Defense is a security solution integrating firewall, intrusion prevention, and advanced malware protection capabilities into a single appliance. Cisco Internetwork Operating System (IOS) is a proprietary operating system by Cisco.

CVE-2025-20333

There is a vulnerability in Cisco ASA (Adaptive Security Appliance) and Cisco Secure Firewall Threat Defense. This vulnerability affects the VPN web server component due to improper validation of user-supplied input in HTTP(S) requests. A remote authenticated attacker with valid VPN credentials can exploit this vulnerability by sending crafted HTTP requests to the affected device to execute arbitrary code as root. This vulnerability affects Cisco Secure Firewall ASA Software if AnyConnect IKEv2 Remote Access with client services, Mobile User Security (MUS), or SSL VPN is enabled, and Cisco Secure Firewall FTD Software if AnyConnect IKEv2 Remote Access with client services or AnyConnect SSL VPN is enabled, as these features cause the SSL listen sockets to be active.

CVSSv2 Base Score: 7.1 / Temporal Score: 6.2
AV:N/AC:H/AU:S/C:C/I:C/A:C/E:H/RL:OF/RC:ND
CVSSv3.1 Base Score: 9.9 / Temporal Score: 9.5
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:X

CVE-2025-20362

There is a vulnerability in Cisco ASA (Adaptive Security Appliance) and Cisco Secure Firewall Threat Defense. This flaw exists due to improper validation of user-supplied input in HTTP(S) requests in the VPN web server. A remote anonymous attacker can exploit this vulnerability by sending crafted HTTP requests to bypass authentication. This vulnerability affects Cisco Secure Firewall ASA Software if AnyConnect IKEv2 Remote Access with client services, Mobile User Security (MUS), or SSL VPN is enabled, and Cisco Secure Firewall FTD Software if AnyConnect IKEv2 Remote Access with client services or AnyConnect SSL VPN is enabled, as these features activate the SSL listen sockets. This vulnerability can be chained with CVE-2025-20333, which enables arbitrary code execution as root.

CVSSv2 Base Score: 4.0 / Temporal Score: 3.5
AV:N/AC:H/AU:N/C:P/I:P/A:N/E:H/RL:OF/RC:ND
CVSSv3.1 Base Score: 6.5 / Temporal Score: 6.2
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:H/RL:O/RC:X

CVE-2025-20363

There is a vulnerability in Cisco ASA (Adaptive Security Appliance), Cisco Secure Firewall Threat Defense, Cisco IOS, Cisco IOS XE and Cisco IOS XR. This flaw exists due to improper validation of user-supplied input in HTTP requests. A remote anonymous attacker can exploit this vulnerability on ASA and FTD, while a remote authenticated attacker with low privileges can exploit it on IOS, IOS XE, and IOS XR Software, to execute arbitrary code as root, potentially leading to the complete compromise of the affected device. The affected configurations require SSL VPN or Mobile User Security to be enabled on ASA, AnyConnect SSL VPN to be enabled on FTD, and Remote Access SSL VPN to be enabled on IOS, IOS XE, and IOS XR Software.

CVSSv2 Base Score: 7.6 / Temporal Score: 5.6
AV:N/AC:H/AU:N/C:C/I:C/A:C/E:U/RL:OF/RC:ND
CVSSv3.1 Base Score: 9.0 / Temporal Score: 7.8
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:X

The rating of the risk of this Advisory is based on the maximum values of all vulnerabilities. So the over all value is major than the value of the separate vulnerabilities.

According to Cisco the vulnerabilities CVE-2025-20333 and CVE-2025-20362 can be chained together are already being exploited in the wild.

Recommendation

Cisco provides updates. Please update your installation and see the vendor's advisory to find the proper version suitable for your environment.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks

Information

Cisco Security Advisory cisco-sa-asaftd-webvpn-z5xP8EUB dated 2025-09-25
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

Cisco Security Advisory cisco-sa-asaftd-webvpn-YROOTUW dated 2025-09-25
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW

Cisco Security Advisory cisco-sa-http-code-exec-WmfP3h3O dated 2025-09-25
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O

CISA Known Exploited Vulnerabilities Catalog dated 2025-09-25
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

References

CISCO-ADV-ID:CISCO-SA-ASAFTD-WEBVPN-YROOTUW
CISCO-ADV-ID:CISCO-SA-ASAFTD-WEBVPN-Z5XP8EUB
CISCO-ADV-ID:CISCO-SA-HTTP-CODE-EXEC-WMFP3H3O
CISCO-BUG:CSCWO18850
CISCO-BUG:CSCWO35704
CISCO-BUG:CSCWO35779
CISCO-BUG:CSCWO49562
CISCO-BUG:CSCWQ79815
CISCO-BUG:CSCWQ79831
CVE:CVE-2025-20333
CVE:CVE-2025-20362
CVE:CVE-2025-20363
EUVD:EUVD-2025-31138
EUVD:EUVD-2025-31139
EUVD:EUVD-2025-31140

Disclaimer

*The probability of an attack is determined by the attacker's motivation, the necessary expend and the possibilities for an attack. The damage probability is determined by the expend needed to resolute the attack and probable indirect consequences of an attack for business processes. Telekom Security assumes worst case scenarios.

Copyright © 1999-2025 Deutsche Telekom Security GmbH. All rights reserved. Reproduction and distribution of this publication in any form - even in parts - without prior written permission is forbidden.

The information contained herein has been obtained from sources believed to be reliable and trusted or have been verified. Telekom Security can take liability for completeness, accuracy and correctness only in so far, as gross negligence or intention create liability. Any liability beyond it, in particular possible damages resulting from using or non-usability of the information contained herein, is excluded.