Cisco Warns of Active Exploitation of ASA and FTD 0-Day Vulnerability | eSecurity Planet

Cisco Warns of Active Exploitation of ASA and FTD 0-Day Vulnerability

Cisco warns that hackers are actively exploiting a 0-day flaw in its firewall software, putting unpatched systems at risk of full compromise.

Written By
Ken Underhill
Ken Underhill
Nov 7, 2025
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Cisco has issued a warning to customers after confirming that threat actors are actively exploiting a critical remote code execution (RCE) vulnerability in its Secure Firewall Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. 

The flaw allows authenticated attackers to execute arbitrary code with root privileges, potentially resulting in full system compromise.  

The Vulnerability Explained

The vulnerability (CVE-2025-20333), first disclosed in September 2025, arises from insufficient validation of user-supplied input in the VPN web server’s handling of HTTP(S) requests. 

Attackers with valid VPN credentials can craft malicious requests that exploit a buffer overflow in the webvpn component, triggering remote code execution or device reboots.

In practice, this means adversaries could exfiltrate sensitive data, deploy malware, or pivot laterally into enterprise networks protected by these firewalls.

Cisco’s advisory highlights that systems running AnyConnect IKEv2 with client services, Mobile User Security (MUS), or SSL VPN configurations are especially at risk.

Affected versions span multiple software lines, including ASA 9.8.x through 9.20.1 and FTD 6.2.2 through 7.4.1.1. 

Only systems with SSL listening sockets enabled for VPN access are vulnerable. Cisco’s Secure Firewall Management Center (FMC) software is not affected.

Active Attacks Underway

Cisco’s team confirmed that exploit attempts are already active in the wild. A new attack variant observed in early November 2025 causes targeted devices to reload unexpectedly, effectively creating a denial-of-service (DoS) condition.

The company has urged customers to immediately upgrade to fixed releases, such as ASA 9.18.4.19 and FTD 7.4.2, emphasizing that no workarounds exist. 

Cisco recommends that administrators perform a configuration audit using the command show running-config to confirm exposure and to verify that no unauthorized changes have been made to VPN configurations.

Edge Devices Under Siege

The exploitation of CVE-2025-20333 is part of a broader trend of threat actors targeting network edge devices. 

Firewalls, VPN gateways, and routers have become lucrative entry points for attackers seeking persistent access.

As these appliances often sit at the perimeter of sensitive networks, successful exploitation can give adversaries the ability to intercept traffic, harvest credentials, and deploy backdoors undetected. 

Advertisement

Beyond the Patch

While patching remains the top priority, organizations can take several complementary mitigation steps to strengthen resilience against ongoing exploitation campaigns:

  • Enforce credential hygiene: Reset VPN credentials, rotate passwords, and enable MFA for all remote access.
  • Limit VPN exposure: Restrict endpoints to trusted IPs and disable public access until patched.
  • Segment networks: Isolate management, authentication, and production systems to contain breaches.
  • Harden admin access: Disable public web management and limit SSH or console access to approved hosts.
  • Monitor for compromise: Track unusual VPN activity, config changes, and unexpected reboots.
  • Validate system integrity: Use integrity monitoring to detect tampering or unauthorized firmware changes.

These steps help reduce the attack surface and improve early detection capabilities, even if a system is temporarily exposed before patching.

The discovery and rapid exploitation of this vulnerability highlight the evolving speed and precision of modern cyber threats. 

Zero-day exploits against trusted security infrastructure illustrate that even defensive technologies can become attack vectors when not continuously maintained.

A strong patch management program, combined with layered defenses and continuous monitoring, is critical to mitigating similar threats.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.