Search
On this page ▾
CVE-2025-20333 — Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability

CVE-2025-20333

Cisco ASA/FTD VPN — Buffer Overflow RCE in VPN Web Server; UAT4356 (ArcaneDoor); Emergency Directive ED-25-03 (1-Day Deadline)
🔥 CVSS 3.1  9.9 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is Cisco Secure Firewall ASA?

Cisco Secure Firewall Adaptive Security Appliance (ASA) is one of the world's most widely deployed enterprise firewall and VPN platforms. Cisco ASA and its next-generation successor Secure Firewall Threat Defense (FTD) provide perimeter firewall, SSL/IPsec VPN, and intrusion prevention for enterprise and government networks. The WebVPN feature provides clientless SSL VPN access, and AnyConnect IKEv2 provides full VPN connectivity for remote workers. Because ASA/FTD appliances sit at the network perimeter and serve as the primary VPN gateway, compromising one gives a nation-state actor a persistent foothold at the edge of a target's network — from which they can intercept VPN traffic, harvest credentials, and pivot inward.

Overview

CVE-2025-20333 is a CVSS 9.9 buffer overflow vulnerability (CWE-120) in the VPN Web Server component of Cisco ASA and FTD. When chained with CVE-2025-20362 (a URL path-normalization bypass that removes the authentication requirement), the combination achieves fully unauthenticated remote code execution on the firewall, enabling persistent backdoor installation. The threat actor UAT4356 (Storm-1849, the same China-aligned APT behind the 2024 "ArcaneDoor" campaign) exploited this chain as a zero-day beginning May 2025, deploying two custom backdoors — RayInitiator (a bootkit) and LINE VIPER (a modular persistence framework). CISA issued Emergency Directive ED-25-03 with a 1-day federal remediation deadline — one of the most aggressive in CISA history.

Affected Versions

Product Vulnerable (when SSL VPN / WebVPN enabled) Fixed
Cisco ASA 9.12.x All builds 9.12.4.72 (final release)
Cisco ASA 9.14.x All builds 9.14.4.28 (final release)
Other ASA/FTD versions Use Cisco Software Checker Per Cisco advisory
ASA 5500-X series (5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X) Particularly targeted (older hardware without Secure Boot) Upgrade + ED-25-03 guidance

Attack surface condition: Vulnerable when SSL VPN (webvpn enable), AnyConnect IKEv2 remote access with client services, or Mobile User Security (MUS) is configured.

Technical Details

CVE-2025-20333 (CWE-120): Buffer overflow in the ASA/FTD VPN Web Server. A crafted HTTPS request to the VPN web server interface overflows a stack buffer, enabling arbitrary code execution with root privileges.

CVE-2025-20362 (companion, required for full unauthenticated exploitation): URL path-normalization flaw that bypasses session verification for Clientless SSL VPN (WebVPN) endpoints. Attackers use CVE-2025-20362 to reach restricted execution pathways without authentication, then trigger CVE-2025-20333 — making the combined chain fully pre-auth despite CVE-2025-20333's PR:L CVSS rating.

Post-exploitation malware (UAT4356):

  • RayInitiator: A bootkit that persists by modifying the GRUB bootloader and core system binaries — survives firmware updates and factory resets on affected hardware
  • LINE VIPER: A modular framework providing command execution, network traffic capture, authentication bypass, logging suppression, and anti-forensic forced reboots triggered during core dump collection

Discovery

The vulnerability was discovered through analysis of active exploitation. Discovery credits include the Australian Signals Directorate (ASD), Canadian Centre for Cyber Security (CCCS), UK NCSC, and U.S. CISA, who collaborated on the threat intelligence that led to the advisory.

Exploitation Context

UAT4356 (Storm-1849) — the same China-aligned nation-state actor that conducted ArcaneDoor in 2024 (targeting CVE-2024-20353 / CVE-2024-20359) — exploited CVE-2025-20333 + CVE-2025-20362 as a zero-day beginning approximately May 2025, four months before the advisory. GreyNoise observed two major reconnaissance spikes in late August 2025 involving over 25,000 unique IP addresses probing for vulnerable ASA devices. UAT4356 specifically targeted older Cisco ASA 5500-X hardware (5512-X through 5585-X) running ASA 9.12 or 9.14 — appliances lacking Secure Boot/Trust Anchor features that prevent bootkit persistence. CISA issued Emergency Directive ED-25-03 on September 25, 2025 with a 1-day deadline requiring FCEB agencies to submit ASA/FTD core dump files to CISA's Malware Next Gen Portal for analysis. A new attack variant causing unexpected device reloads emerged November 5, 2025, indicating continued active exploitation.

Remediation

  1. Apply Cisco patches immediately: ASA 9.12.4.72, 9.14.4.28, or the appropriate patched release for your version per the Cisco Software Checker.
  2. Follow CISA Emergency Directive ED-25-03: https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices — this includes collecting and submitting core dump files, and using CISA's Eviction Strategies Tool.
  3. Follow CISA's Supplemental Direction for core dump and hunt instructions: https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions
  4. Disable SSL VPN / WebVPN if not operationally required — this removes the attack surface entirely.
  5. Replace end-of-life ASA 5500-X hardware — the 5512-X through 5585-X series lack Secure Boot and cannot fully prevent bootkit persistence; replacement with Secure Firewall 1000/2100/3100/4200 series is recommended.
  6. Hunt for RayInitiator / LINE VIPER indicators: review bootloader integrity, check for unexpected core binary modifications, and monitor for unexplained device reloads.

Key Details

PropertyValue
CVE ID CVE-2025-20333
Vendor / Product Cisco — Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense
NVD Published2025-09-25
NVD Last Modified2025-10-28
CVSS 3.1 Score9.9
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-120 find similar ↗
CISA KEV Added2025-09-25
CISA KEV Deadline2025-09-26
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2025-09-26. The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03. Agencies must follow the mitigation steps provided by CISA and vendor instructions. Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Timeline

DateEvent
2025-05-01UAT4356/Storm-1849 begins zero-day exploitation of ASA/FTD devices (ArcaneDoor II campaign)
2025-08-28GreyNoise records first major reconnaissance spike: >25,000 unique IPs scanning for vulnerable ASA devices
2025-09-25Cisco advisory published; CVE published; CISA adds to KEV catalog and issues Emergency Directive ED-25-03 — 1-DAY federal remediation deadline (Sep 26)
2025-09-26CISA ED-25-03 deadline: FCEB agencies required to submit ASA/FTD core dump results to CISA's Malware Next Gen Portal
2025-11-05New attack variant causing unexpected device reloads emerges — continuation of UAT4356 campaign

References

ResourceType
Cisco Security Advisory — cisco-sa-asaftd-webvpn-z5xP8EUB Vendor Advisory
CISA Emergency Directive ED-25-03 US Government
NVD — CVE-2025-20333 Vulnerability Database
CISA KEV Catalog Entry US Government
Zscaler — Cisco Firewall Zero-Day Attacks CVE-2025-20333 and CVE-2025-20362 Security Research
Rapid7 — Cisco ASA/FTD Multiple Critical Vulnerabilities ETR Security Research
Greenbone — ArcaneDoor Campaign Exploiting Cisco ASA/FTD Flaws Security Research

Last updated: 2026-05-17

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML