Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Unauthenticated restricted URL access in Cisco Secure ASA/FTD VPN web server

IdentifiersCVE-2025-20362CWE-285

CVE-2025-20362 is a vulnerability in the VPN web server component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. According to the provided Cisco advisory text, the flaw is caused by improper validation of user-supplied input in HTTP(S) requests and allows an unauthenticated remote attacker to access restricted remote-access VPN URL endpoints that should require authentication. An attacker can exploit the issue by sending crafted HTTP requests to the affected device’s web server. Cisco later reported a new attack variant against devices affected by CVE-2025-20362 and CVE-2025-20333 that can cause unpatched devices to unexpectedly reload, producing denial-of-service conditions.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated access to restricted VPN-related URL endpoints on affected ASA/FTD devices. Based on the supporting content, this can expose functionality or data intended to be available only after authentication and may support reconnaissance, session validation bypass, credential harvesting, or chaining with other actions or vulnerabilities for broader compromise. Cisco also reported in-the-wild exploitation and a later attack variant that can force affected unpatched devices to reload repeatedly, resulting in denial of service.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the VPN web server by restricting WebVPN access to trusted source addresses, limiting or disabling internet exposure where operationally feasible, and disabling WebVPN functionality if it is not required. Increase monitoring of HTTP(S) access to WebVPN endpoints and investigate signs of exploitation. Because the content indicates active exploitation and possible chaining with other activity, suspected-compromised devices should be treated cautiously and investigated for follow-on compromise.

Remediation

Patch, then assume compromise.

Upgrade Cisco Secure ASA Software and Cisco Secure FTD Software to the fixed releases identified by Cisco in the advisory’s Fixed Software section. Cisco strongly recommends that all customers upgrade, especially because exploitation in the wild has been confirmed and later attack variants can induce device reloads and DoS on unpatched systems.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 2 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Cisco SystemsAdaptive Security Appliance Softwareoperating_system
Cisco SystemsFirepower Threat Defenseapplication
Cisco SystemsSecure Firewall Asa Softwareapplication
Cisco SystemsSecure Firewall Ftd Softwareapplication
Cisco SystemsSecure Firewall Threat Defense Softwareapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

280 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

280 SOURCESView more in app
cyber security newsNews
May 22, 2026
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Cisco ASA/AnyConnect VPN vulnerability used for initial access into internal networks.

Read more
malware newsNews
May 22, 2026
From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence - Malware News - Malware Analysis, News and Indicators

A Cisco firewall and VPN zero-day vulnerability mentioned in references as part of the broader trend of edge-device exploitation.

Read more
microsoft security blogNews
May 22, 2026
From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence | Microsoft Security Blog

A Cisco firewall and VPN zero-day vulnerability referenced in related context about edge-device exploitation trends.

Read more
sdxcentral cybersecurityNews
May 12, 2026
Cisco to plug leaky legacy ware with Resilient Infrastructure service - SDxCentral

A privilege escalation vulnerability associated with attacks on Cisco infrastructure and linked to the ArcaneDoor campaign.

Read more
+45 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence30

Every observed campaign linking this CVE to a named adversary.

Associated malware45

Malware families riding this exploit, with evidence and IOCs.

Detection signatures3

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity147

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-20362
NVD
nvd.nist.gov/vuln/detail/CVE-2025-20362
MITRE CWE · CWE-285
cwe.mitre.org
Vendor Advisory
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
Vendor Advisory
sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20362