Cisco has disseminated urgent advisories addressing a newly discovered zero-day exploit chain that impacts its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software. These vulnerabilities are currently being exploited in highly targeted attacks by an unidentified threat actor.
Insights from Rapid7 reveal that this exploit chain integrates two vulnerabilities: CVE-2025-20362 and CVE-2025-20333, enabling unauthenticated remote code execution (RCE) on susceptible devices.
Additionally, a third vulnerability, CVE-2025-20363, has been rectified; however, evidence indicates that only the first two vulnerabilities are actively utilized within the exploit chain.
The fundamental problem arises from the clientless VPN (WebVPN) feature, which permits an assailant to circumvent authentication and subsequently exploit a memory corruption defect.
The Two-Stage Exploit Chain
The assault initiates with CVE-2025-20362, an authentication bypass vulnerability stemming from a path traversal flaw. This vulnerability enables a remote attacker, without authentication, to access restricted URL endpoints that ordinarily necessitate user verification.
This flaw bears a resemblance to a previously identified vulnerability, CVE-2018-0296. Intruders can capitalize on this by dispatching a meticulously crafted HTTP request, exemplified by CSCOU...CSCOE, targeting the device’s web server.
This action circumvents security measures and grants access to protected endpoints, laying the groundwork for the subsequent phase of the attack. A successful authentication bypass can typically be ascertained through server responses such as “CSRF token mismatch” or “Failed to upload file.”
Once the authentication hurdle is traversed, the attacker exploits CVE-2025-20333, a buffer overflow vulnerability embedded within the WebVPN feature’s file upload processing protocol.
This vulnerability, categorized as CWE-120 (Buffer Copy without Checking Size of Input), resides in a Lua script responsible for file uploads. The script manifests a salient flaw, failing to validate the size of the “boundary” value in an HTTP request.
By sending a request that incorporates a boundary string exceeding the allocated 8192-byte buffer, an attacker can instigate an overflow by invoking the HTTPCONTENTTOBUFFER function with a length surpassing the buffer capacity.
This memory corruption can be triggered via the CSCOEfilesfileaction.html endpoint, which becomes accessible due to the preliminary authentication bypass, as per Rapid7’s analysis.
Mitigations
The successful amalgamation of these two vulnerabilities culminates in unauthenticated RCE, endowing an attacker with comprehensive control over an affected Cisco firewall.
Although the exploit is intricate, its active presence in the wild has been confirmed, leading to systemic crashes and reboots on vulnerable devices. The root of the vulnerability stems from inadequate validation of user-supplied inputs in HTTP(S) requests.
Both Cisco ASA and FTD software are susceptible when the clientless VPN (WebVPN) portal is activated. Cisco has released updated software versions, including ASAv version 9.16.4.85, aimed at rectifying these critical vulnerabilities.
System administrators are earnestly advised to update their systems immediately to avert potential exploitation.
Source link: Cybersecuritynews.com.
