HOMEVULNERABILITIESCVE-2025-20333
HIGHCISA KEVIN THE WILD

CVE-2025-20333

Published: September 25, 2025

EPSS:18.66%probability of exploitation in 30 daysPercentile:95.1th

Official Description

Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362.

NVD Source

CISA KEV Advisory

Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability

Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362.

Added to KEV: 2025-09-25Federal patch deadline: 2025-09-26
Required Action (CISA)

The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor’s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

Risk Analysis

A buffer overflow in Cisco Secure Firewall ASA and FTD VPN Web Server can lead to remote code execution. The high EPSS score and confirmed exploitation highlight this as a critical vulnerability that attackers are actively leveraging.

This vulnerability is actively being exploited in the wild and is included in CISA's KEV catalog. It can be chained with another vulnerability, potentially increasing its impact and making it remotely exploitable.

Recommended Action

It is crucial to apply the latest security updates for Cisco Secure Firewall ASA and FTD Software VPN Web Server. Regularly review and restrict access to VPN web server interfaces to minimize exposure.

Generated by the CTIWATCH analysis pipeline from this CVE's metadata (CVSS, EPSS, KEV status, exploit intelligence). Verify against vendor advisories before acting.

Technical Analysis

CVE-2025-20333 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

CISA has added CVE-2025-20333 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.

Affected Vendors & Products

Mentioned vendors (from description):
Cisco
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

ACTIVE EXPLOITATIONConfirmed exploitation in the wild
External links open in a new tab. Always verify in a controlled environment before use.

News & Research Mentioning CVE-2025-20333

UAT-4356's Targeting of Cisco Firepower Devices
Cisco Talos Blog· Apr 23, 2026

Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices. [xlite_meta score:61 src:Cisco Talos Blog xlite_fp:2546db276c939b301ca6c2c96945b25b3ef20c790468903942ff9376669fde39]

FIRESTARTER Backdoor
CISA Alerts· Apr 23, 2026

Malware Analysis Report at a Glance Malware Name FIRESTARTER Original Publication April 23, 2026 Executive Summary The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess advanced persistent threat (APT) actors are using FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. CISA and the NCSC are releasing this Malware Analysis Report to share analysis of one FIRESTARTER malware sample operating as a backdoor and urge organizations to take key [xlite_meta score:85 src:CISA Alerts xlite_fp:e0f9552a6217b3f6f1ca715daa0ae8521c48007b2346d7ea6f4d026a366e56cf]

All References (6)

Quick Facts

CVE IDCVE-2025-20333
SeverityHIGH
CISA KEVYES — Active Exploitation
ExploitIN THE WILD
EPSS (30d)18.66%
PublishedSep 25, 2025

Known Threat Actors

Conti
financial
RU
wa
financial
thor
financial
aware
financial
conti
financial
core
financial

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2025-20333 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
  • !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
  • !Active exploitation confirmed — treat as P1
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.