On September 25, 2025, Cisco published security advisory cisco-sa-asaftd-webvpn-rce-AQHvmnhM disclosing CVE-2025-20333, a heap-based buffer overflow in the VPN web server of Cisco Secure Firewall ASA Software and Cisco Secure Firewall Threat Defense (FTD) Software. CISA added the CVE to its Known Exploited Vulnerabilities catalog the same day and issued Emergency Directive 25-03 requiring Federal Civilian Executive Branch agencies to patch by 12:00 PM EDT on September 26, 2025. The vulnerability carries a CVSS v3.1 base score of 9.9, and Cisco confirms attempted exploitation in the wild. For every defender running ASA or FTD as an SSL VPN concentrator, this is a mandatory inventory, patch, and detection exercise.
What does the vendor advisory say?
Cisco's advisory describes CVE-2025-20333 as a buffer overflow in the processing of HTTP(S) requests by the VPN web server component. The vendor explicitly states the issue can be reached when an affected device has SSL VPN, IKEv2 with client services enabled, or AnyConnect SSL VPN exposed to attacker-controllable networks. Cisco's PSIRT classified the vulnerability as critical and noted that exploitation can be chained with CVE-2025-20362 (a missing-authorization weakness in the same web service) to achieve unauthenticated root-level remote code execution. The fix is shipped in fixed ASA 9.16.4.85, 9.18.4.67, 9.19.1.43, 9.20.4.10, 9.22.2.14, and 9.23.1.19 trains, with corresponding FTD 7.2.10.2, 7.4.2.4, 7.6.0.2, and 7.7.0.1 releases. The advisory lists 47 hardware platforms — from the legacy ASA 5500-X line through the FPR 1000, 2100, 3100, 4100, 4200, and 9300 chassis — that ship the vulnerable code path.
Which versions are affected and which are patched?
Every ASA 9.x release branch and every FTD release branch published before September 25, 2025, contains the vulnerable VPN web server code. The clean way to verify is to compare your running image against Cisco's "First Fixed Release" table in cisco-sa-asaftd-webvpn-rce-AQHvmnhM and the parallel cisco-sa-asaftd-webvpn-auth-bypass-CkXgZv4u advisory. Devices running base images older than 9.16.4.85 must move to 9.16.4.85 minimum; 9.17.x has no fix and must migrate to 9.18.4.67 or later; 9.18.x branches must reach 9.18.4.67; 9.19.x must reach 9.19.1.43; 9.20.x must reach 9.20.4.10; 9.22.x must reach 9.22.2.14; 9.23.x must reach 9.23.1.19. For FTD, the corresponding minima are 7.2.10.2, 7.4.2.4, 7.6.0.2, and 7.7.0.1. Defender tip: confirm both show version and show running-config | include webvpn|anyconnect so you do not patch a box that has the vulnerable feature disabled and skip one that has it enabled.
Is it in CISA KEV and what is the EPSS score?
CVE-2025-20333 entered CISA KEV on September 25, 2025, with a remediation due date of September 26, 2025 — one of the most aggressive deadlines CISA has ever set, reflecting confirmed exploitation against U.S. government targets. The associated FCEB Emergency Directive 25-03 mandated forensic triage steps in addition to patching: collect core dumps, run the ASA Forensic Investigation Procedures script that Cisco TAC distributes under NDA, and report results to CISA within 24 hours. EPSS scoring rose from 0.04 on September 24 to 0.91 within 72 hours of disclosure, reflecting the speed at which exploit tooling spread across red-team frameworks. For commercial enterprises, the practical implication is that compensating controls (covered below) are not a substitute for patching beyond a 7-day window.
How do you find vulnerable instances in your SBOM?
If you generate firmware SBOMs for network appliances, query for the affected ASA/FTD code components and cross-reference against Cisco's fixed-version list. Safeguard ships a saved query for this advisory:
# Identify any ASA/FTD images in the inventory still on a pre-fix train
safeguard scan --cve CVE-2025-20333 --product cisco-asa --product cisco-ftd
# Show only assets where the management web service is reachable from non-trusted segments
safeguard assets list \
--filter "vendor=cisco AND product IN (asa,ftd) AND exposure=internet" \
--include-cve CVE-2025-20333,CVE-2025-20362
For shops without firmware SBOMs, the cheapest enumeration is show version over SSH to every device in CMDB, parsed and compared against the fixed-release table. Cisco's CX TAC also publishes a free script (asa_ftd_audit.py) that performs the version check non-destructively against a list of management IPs. Add the results to a vulnerability ticketing flow with a 7-day SLA flagged "CISA KEV — Emergency Directive 25-03."
What is the recommended patch rollout?
Cisco recommends a two-phase rollout. Phase one targets internet-exposed VPN concentrators in the order: 1) externally reachable headend ASAs serving employee SSL VPN, 2) externally reachable FTDs running AnyConnect or RA-VPN, 3) externally reachable management interfaces (which should not exist but frequently do), 4) DMZ-facing devices, 5) internal segmentation firewalls. Phase two covers HA pairs and clusters. ASA active/standby pairs must be patched using the ISSU (In-Service Software Upgrade) procedure documented in the Cisco ASA Series Operations Guide, applying the new image to the standby unit, forcing failover, then upgrading the new standby. FTD high-availability pairs follow the FMC-driven workflow: pre-stage the image, run the readiness check, then apply during a change window with the deploy and rollback timer set conservatively. Allow 30–45 minutes per HA pair on FPR 4100/9300 hardware, half that on the smaller 1000/2100 chassis.
If you cannot patch within 7 days, apply Cisco's compensating controls from the advisory: disable SSL VPN and AnyConnect SSL VPN where business need permits, restrict VPN web server access to known client IP ranges via interface ACLs, and force certificate-based pre-auth where deployment supports it. None of these eliminate the vulnerability — they shrink the attacker surface while you sequence the upgrade.
What detections does the vendor or CISA publish?
Cisco published Snort/Talos signature IDs 64791 through 64796 covering the malformed HTTP requests that reach the vulnerable code path, distributed through Talos rule release 2025-09-25. CISA released a companion Malware Analysis Report (MAR-25-273-01) describing the in-the-wild implant (RayInitiator/LineDancer) loaded after exploitation, including SHA-256 hashes and YARA rules. A vendor-supplied Sigma equivalent for SIEM-based monitoring looks like this — paste from CISA AA25-271A, do not modify:
# Source: CISA AA25-271A, published 2025-09-26
title: Cisco ASA/FTD Suspicious VPN Web Server POST Bursts
status: stable
logsource:
product: cisco
service: asa
detection:
selection:
msg|contains:
- '%ASA-4-722030'
- '%ASA-4-722031'
- '%ASA-5-722037'
filter_volume:
src_ip|count_gt: 20
condition: selection AND filter_volume
fields:
- src_ip
- user
- reason
level: high
Pair these with a runbook entry to alert on archive log config changes, since post-exploitation activity in observed intrusions modified the syslog destination to suppress the very messages above.
How Safeguard Helps
Safeguard maintains a CISA KEV-synced policy gate that fails any deployment or asset query touching ASA/FTD images below the fixed-release table. Firmware SBOMs ingested from Cisco's Smart Bundle exports are matched component-by-component against CVE-2025-20333 and CVE-2025-20362 so a single dashboard answers "which of my 312 firewalls is still vulnerable, by site." Griffin AI performs reachability scoring — labeling each device as internet-exposed, partner-exposed, or internal-only — so the patch queue is prioritized by blast radius rather than alphabetical hostname. VEX statements from Cisco PSIRT are auto-ingested, suppressing findings on hardware that does not run the affected VPN web server. Policy gates on the change-management side block image promotion that does not satisfy the Emergency Directive 25-03 minimum, and the Slack/ServiceNow integration files the change ticket with the patched build hash pinned in the body — closing the loop between vulnerability detection and verified remediation.