CVE-2025-20362
Published: September 25, 2025
Official Description
Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333.
CISA KEV Advisory
Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Missing Authorization Vulnerability
Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333.
The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor’s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
Risk Analysis
This high-severity missing authorization vulnerability in Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server could be chained with another vulnerability. The high EPSS score of 0.42308 indicates a significant likelihood of exploitation, and its presence in CISA's KEV catalog confirms it has been actively exploited.
This vulnerability is actively exploited in the wild, indicating a critical and immediate threat. It is remotely exploitable.
Apply available patches or upgrade Cisco Secure Firewall ASA Appliance and FTD Software to the latest secure versions. Implement robust access controls and monitor VPN web server activity.
Technical Analysis
CVE-2025-20362 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
CISA has added CVE-2025-20362 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.
Affected Vendors & Products
Exploit & PoC Resources
News & Research Mentioning CVE-2025-20362
Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices. [xlite_meta score:61 src:Cisco Talos Blog xlite_fp:2546db276c939b301ca6c2c96945b25b3ef20c790468903942ff9376669fde39]
Malware Analysis Report at a Glance Malware Name FIRESTARTER Original Publication April 23, 2026 Executive Summary The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess advanced persistent threat (APT) actors are using FIRESTARTER malware for persistence, specifically targeting publicly accessible Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. CISA and the NCSC are releasing this Malware Analysis Report to share analysis of one FIRESTARTER malware sample operating as a backdoor and urge organizations to take key [xlite_meta score:85 src:CISA Alerts xlite_fp:e0f9552a6217b3f6f1ca715daa0ae8521c48007b2346d7ea6f4d026a366e56cf]
All References (6)
Quick Facts
Known Threat Actors
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2025-20362 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts
- !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
- !Active exploitation confirmed — treat as P1