CVE-2025-20362

What is Cisco ASA/FTD?

Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) are the dominant enterprise firewall and VPN platforms, deployed at the network perimeter of tens of thousands of organizations worldwide including government agencies, financial institutions, healthcare providers, and critical infrastructure operators. The WebVPN / AnyConnect VPN component provides internet-facing SSL/TLS-based remote access — by design, it is exposed to the public internet. Cisco perimeter devices have been repeatedly targeted by China-nexus advanced persistent threat actors, most notably in the ArcaneDoor campaign (2024), and this incident represents a continuation of that targeting pattern.

Overview

CVE-2025-20362 is a missing authorization vulnerability in the VPN web server component of Cisco ASA and FTD that allows an unauthenticated remote attacker to access restricted URL endpoints without providing credentials. The CVSS score of 6.5 understates the operational risk: this vulnerability is part of a three-CVE cluster (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) that was actively exploited as zero-days by the China-nexus threat actor UAT4356 (also tracked as Storm-1849), the same group behind the 2024 ArcaneDoor campaign.

CISA issued Emergency Directive ED-25-03 on the same day the advisory was published — one of the most urgent CISA directives of 2025 — with a one-day initial compliance deadline requiring federal agencies to immediately assess Cisco device compromise.

CVE-2025-20362 is most significant as a chain enabler: it provides unauthorized access to VPN web server endpoints that, when combined with CVE-2025-20333 (critical authenticated remote code execution), enables full unauthenticated device compromise.

Affected Versions

Cisco ASA Software and FTD Software across multiple version branches (9.12.x through 9.23.x for ASA; 7.0.x through 7.7.x for FTD). The WebVPN, AnyConnect SSL VPN, or AnyConnect IKEv2 Remote Access VPN feature must be configured for the VPN web server component to be exposed. Refer to the Cisco security advisory for the full fixed-release table.

Technical Details

CWE-862 (Missing Authorization). The VPN web server in ASA/FTD fails to verify that incoming HTTP(S) requests are entitled to access specific URL endpoints. Certain paths that should be restricted to authenticated administrators or established VPN sessions can be reached without any authentication by submitting a crafted request.

Standalone, the authorization bypass does not execute code — it grants read access to restricted content and exposes internal API endpoints. The full attack chain with CVE-2025-20333 works as follows:

1. CVE-2025-20362 accesses a restricted VPN web server endpoint without authentication.
2. CVE-2025-20333 (critical, CVSS 9.8) uses an authenticated code execution path — the authorization bypass from CVE-2025-20362 satisfies the authentication prerequisite, converting CVE-2025-20333 into an unauthenticated RCE.

A third vulnerability in the same advisory, CVE-2025-20363, enables denial of service. Cisco's November 5, 2025 update disclosed that chaining CVE-2025-20333 and CVE-2025-20362 also causes unpatched devices to unexpectedly reload, creating a DoS condition even without achieving full code execution.

Discovery

Discovered by Atinderpal Singh of Zscaler ThreatLabz and reported to Cisco. The campaign was attributed to UAT4356 / Storm-1849, a China-nexus state-sponsored threat actor previously responsible for ArcaneDoor (April 2024), which similarly targeted Cisco ASA zero-days. The same adversary demonstrates persistent focus on compromising Cisco perimeter infrastructure for long-term access and espionage.

Exploitation Context

Active zero-day exploitation was confirmed prior to the September 25, 2025 advisory publication. CISA issued Emergency Directive ED-25-03 the same day, requiring federal civilian executive branch (FCEB) agencies to:

1. Immediately identify all internet-accessible Cisco ASA/FTD devices with WebVPN enabled.
2. Collect and preserve core dumps from potentially compromised devices.
3. Follow CISA's supplemental hunt instructions to search for indicators of compromise.

The one-day initial deadline (September 26) is one of the most aggressive CISA compliance timelines on record, reflecting the severity of the active exploitation campaign against government infrastructure. Threat actor UAT4356/Storm-1849 employs sophisticated persistence mechanisms that survive device reboots and firmware upgrades, consistent with nation-state-grade implants designed for long-term intelligence collection.

Remediation

1. Apply Cisco's fixed ASA/FTD software releases immediately — consult the Cisco advisory for the specific fixed version for your branch.
2. Follow CISA Emergency Directive ED-25-03 and supplemental directions for core dump collection and compromise hunting.
3. Use the CISA Eviction Strategies Tool to generate a device-specific compromise assessment plan.
4. If immediate patching is not possible, as a temporary mitigation restrict WebVPN / AnyConnect access to known-good source IP ranges — but patching is the only complete fix.
5. Rotate credentials and VPN certificates if compromise cannot be ruled out; assume any credentials or session data accessible via the VPN web server may have been exfiltrated.
6. Monitor Cisco's security portal for updates related to this campaign, as additional attack variants and indicators were published in November 2025.