Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability

Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362.

Published Sep 25, 2025 · Updated May 16, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

A remote attacker, with a low-privilege account, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2025-09-26 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Classic Buffer Overflow (CWE-120) vulnerability in Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense. A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device. Exploitation requires remote network access, low attack complexity, a low-privilege authenticated account, and no user interaction required.

Am I affected?Quick check

Probably yes if any of these apply:

●Network Security Team

●Firewall Administrators

●IT Security

●Running adaptive security appliance software: 9.12 ≤ v < 9.12.4.72, 9.14 ≤ v < 9.14.4.28, 9.16 ≤ v < 9.16.4.85, 9.17.0 ≤ v < 9.17.1.45, 9.18 ≤ v < 9.18.4.47, 9.19 ≤ v < 9.19.1.37, 9.20 ≤ v < 9.20.3.7, 9.22 ≤ v < 9.22.1.3; firepower threat defense: 7.0.0 ≤ v < 7.0.8.1, 7.1.0 ≤ v < 7.2.9, 7.3.0 ≤ v < 7.4.2.4, 7.6.0

Real-world incidentsWhat we've seen

CISA added this CVE to the Known Exploited Vulnerabilities catalog on 2025-09-25 based on evidence of active exploitation in the wild. Federal agencies required to remediate by 2025-09-26.

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor’s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

References

Vendor advisory: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-20333

CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20333

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2025-20333 ↗ NVD ↗ Vendor Advisory