CVE-2025-20362 Overview
A critical authentication bypass vulnerability exists in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to access restricted URL endpoints related to remote access VPN that should otherwise require authentication.
The vulnerability stems from improper validation of user-supplied input in HTTP(S) requests. An attacker can exploit this flaw by sending crafted HTTP requests to a targeted web server on an affected device, potentially gaining unauthorized access to restricted URLs without authentication.
On November 5, 2025, Cisco became aware of a new attack variant against devices running affected software releases. This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions. This vulnerability is being actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities catalog.
Critical Impact
Unauthenticated remote attackers can bypass authentication to access restricted VPN endpoints and cause device reloads, leading to service disruption and potential unauthorized access to protected network resources.
Affected Products
- Cisco Adaptive Security Appliance (ASA) Software
- Cisco Firepower Threat Defense (FTD) Software
- Remote Access VPN configurations on affected platforms
Discovery Timeline
- September 25, 2025 - CVE-2025-20362 published to NVD
- November 5, 2025 - Cisco became aware of new attack variant targeting affected devices
- November 6, 2025 - Last updated in NVD database
Technical Details for CVE-2025-20362
Vulnerability Analysis
This authentication bypass vulnerability (CWE-862: Missing Authorization) affects the VPN web server component of Cisco's firewall products. The flaw enables unauthenticated network-based attacks that can compromise the confidentiality and integrity of protected systems while also enabling denial of service conditions.
The vulnerability is particularly concerning because it targets the remote access VPN functionality—a critical component for organizations relying on Cisco firewalls for secure remote connectivity. Attackers can reach restricted administrative or VPN-related endpoints without providing valid credentials, potentially exposing sensitive configuration data or enabling further attacks against the network infrastructure.
Root Cause
The root cause is improper validation of user-supplied input in HTTP(S) requests processed by the VPN web server. The affected software fails to properly enforce authorization checks on certain URL endpoints, allowing attackers to bypass authentication mechanisms that should protect access to restricted VPN-related resources.
This missing authorization check (CWE-862) means that the web server does not adequately verify that incoming requests to sensitive endpoints originate from authenticated sessions, enabling direct access to protected functionality.
Attack Vector
The attack vector is network-based and requires no user interaction or prior authentication. An attacker can exploit this vulnerability remotely by:
- Identifying a device running vulnerable Cisco ASA or FTD software with remote access VPN enabled
- Crafting malicious HTTP(S) requests targeting restricted URL endpoints
- Sending the crafted requests to the VPN web server
- Gaining unauthorized access to protected resources or causing the device to reload
The exploitation mechanism involves manipulating HTTP request parameters to bypass the authentication validation logic, allowing direct access to endpoints that should be protected. When exploited via the newly discovered attack variant, the vulnerability can cause affected devices to unexpectedly reload, resulting in denial of service conditions that disrupt VPN connectivity for legitimate users.
Detection Methods for CVE-2025-20362
Indicators of Compromise
- Unusual HTTP(S) requests to VPN web server endpoints from unauthenticated sources
- Unexpected device reloads or crashes on ASA/FTD appliances with remote access VPN enabled
- Authentication bypass attempts visible in web server access logs
- Anomalous access patterns to restricted VPN-related URL paths
Detection Strategies
- Monitor HTTP(S) access logs for requests to restricted VPN endpoints from unauthenticated sessions
- Implement network intrusion detection rules for malformed or suspicious HTTP requests targeting Cisco ASA/FTD web servers
- Configure SIEM alerts for repeated device reloads or crash events on firewall appliances
- Analyze traffic patterns for reconnaissance activity targeting VPN web server endpoints
Monitoring Recommendations
- Enable detailed logging on Cisco ASA/FTD devices for HTTP(S) connections to the VPN web server
- Deploy network monitoring solutions to detect anomalous traffic patterns to firewall management and VPN interfaces
- Establish baseline behavior for VPN web server access and alert on deviations
- Monitor CISA KEV catalog and Cisco security advisories for updated threat intelligence
How to Mitigate CVE-2025-20362
Immediate Actions Required
- Upgrade to fixed software releases as specified in the Cisco Security Advisory
- Review and restrict network access to VPN web server management interfaces where possible
- Monitor systems for indicators of compromise and unexpected device behavior
- Consider temporarily disabling remote access VPN features if immediate patching is not possible and if operationally feasible
Patch Information
Cisco has released fixed software versions to address this vulnerability. Organizations should consult the Cisco Security Advisory for specific version information and upgrade guidance. Given the active exploitation of this vulnerability, Cisco strongly recommends that all customers upgrade to the fixed software releases immediately.
For additional context on the continued attack activity targeting this vulnerability, Cisco has published supplementary guidance at their ASA/FTD Continued Attacks Resource.
Workarounds
- Restrict access to the VPN web server to trusted IP addresses using access control lists (ACLs)
- Implement additional network segmentation to limit exposure of VPN web interfaces
- Deploy a web application firewall (WAF) to filter malicious HTTP requests before they reach the VPN web server
- Monitor for the new attack variant indicators and implement rate limiting on VPN web server connections
# Example ACL to restrict VPN web server access (adjust interface and IP ranges as needed)
access-list outside_access extended permit tcp host 10.0.0.0/8 host FIREWALL_IP eq 443
access-list outside_access extended deny tcp any host FIREWALL_IP eq 443
access-group outside_access in interface outside
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
