Full Report
CISA warned federal agencies to fully patch two actively exploited vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices. [...]
Analysis Summary
# Vulnerability: Chained Exploitation in Cisco ASA and Firepower Devices Leading to Remote Code Execution
## CVE Details
- CVE ID: CVE-2025-20362 and CVE-2025-20333
- CVSS Score: *Not explicitly provided in the text for individual CVEs, but the severity implies High/Critical based on RCE and active exploitation.*
- CWE: *Not explicitly provided in the text based on the context provided.*
## Affected Systems
- Products: Cisco Adaptive Security Appliances (ASA) and Firepower devices (including 5500-X Series devices with VPN web services enabled).
- Versions: Any version that has not been fully updated to the minimum software version specified in the vendor advisories. (The article notes that agencies often update to versions still vulnerable).
- Configurations: Devices utilizing VPN web services.
## Vulnerability Description
The two vulnerabilities, CVE-2025-20362 and CVE-2025-20333, can be chained together.
1. **CVE-2025-20362** allows remote threat actors to access restricted URL endpoints without authentication.
2. **CVE-2025-20333** then allows these threat actors to gain code execution on the vulnerable device.
If successfully chained, unauthenticated attackers can achieve complete remote control over the affected devices.
## Exploitation
- Status: **Exploited in the wild** (Tracked as zero-days; linked to the ArcaneDoor campaign targeting government networks).
- Complexity: Implied to be relatively low for the chaining sequence, enabling remote acquisition of control.
- Attack Vector: **Network** (Remote threat actors targeting publicly exposed VPN web services).
## Impact
- Confidentiality: High (Likely leads to full device compromise and data access).
- Integrity: High (Code execution allows modification of device configuration and state).
- Availability: High (Potential for denial of service or complete device lockout/control).
## Remediation
### Patches
- **Patch Immediately:** CISA Emergency Directive 25-03 requires applying the latest patch to **all** ASA and Firepower devices on the network, not just Internet-exposed ones.
- **Version Verification:** Organizations must verify they have updated to the minimum required software version, as partial updates have left systems still vulnerable despite the belief patches were applied.
### Workarounds
- *No specific workarounds were detailed in this summary excerpt beyond applying the correct patch.*
## Detection
- Indicators of Compromise (IOCs): Not explicitly listed, but tracking exploitation linked to the **ArcaneDoor campaign** is relevant.
- Detection Methods and Tools: Agencies should review the CISA ED 25-03 guidance for specific technical indicators and verification steps. Shadowserver monitoring indicates over 30,000 devices were still vulnerable at the time of the alert.
## References
- Vendor Advisories (Cisco):
- sec-cloudapps-cisco-com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW (CVE-2025-20362)
- sec-cloudapps-cisco-com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB (CVE-2025-20333)
- sec-cloudapps-cisco-com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-websrvs-dos-X8gNucD2 (Related ArcaneDoor flaw)
- sec-cloudapps-cisco-com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h (Related ArcaneDoor flaw)
- CISA Guidance:
- cisa-gov/news-events/alerts/2025/11/12/update-implementation-guidance-emergency-directive-cisco-asa-and-firepower-device-vulnerabilities
- cisa-gov/ed-25-03-guidance-device-updates-and-patching