Two Actively‑Exploited Cisco ASA Vulnerabilities and ED 25‑03
Two Actively‑Exploited Cisco ASA Vulnerabilities and ED 25‑03
Two zero‑day Cisco firewall flaws (CVE‑2025‑20333 & CVE‑2025‑20362) are under active exploitation. As of September 25th, 2025 CISA has put out an emergency ED 25-03 directive to immediately identify Cisco ASA platforms, for any public facing devices, run the core dump and hunt, and to retire any devices with an end of support date of August 31, 2026.
ED 25‑03 and Recently Patched Device Guidance
CISA has an excellent guide for all public-facing devices that were patched after September 26, 2025, with refences to Cisco AnyConnnect WebVPN clients monitoring and additional threat hunting commands.
CVE‑2025‑20333 allows root‑level remote code execution. Unpatched, your edge firewall can be fully compromised, enabling lateral movement, persistence, data exfiltration, and destruction.
CVE‑2025‑20362 allows unauthenticated (or minimal‑authenticated) access to restricted endpoints (privilege escalation or initial access), which adversaries are chaining with the RCE vulnerability for full control.
ED 25‑03, federal civilian agencies and their suppliers must inventory, patch, report, and remediate these vulnerabilities. CISA has released additional commands for threat hunting, and additional guidance for recently patched devices.
Vulnerabilities Overview
CVE-2025-20333
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. With a 9.9 critical CVSS score, this vulnerability is actively being exploited on public facing Cisco Secure Firewall Adaptive Security Appliance devices.
CVE‑2025‑20362
This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions. This CVSS score of 6.5 for the Cisco ASA Firewall Appliances could allow for an unauthenticated remote attacker to access restricted URL endpoints related to remote access VPN.
Technical Information
TLDR; Federal agencies (and organizations managing Cisco ASA/FTD firewalls) must inventory, patch, and report under CISA’s ED 25‑03.
Additional Information
CVE-2025-20333 CVE-2025-20362
Unpatched Device Guidance and Patched Device Guideance from CISA
Dates
Published: 2025-09-25
Published: 2025-09-25
0M+
Business Value Delivered
Expert guidance on strategic tech adoption from a team with 14 years in the MSP space.