Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2025-20333 -- CVSS 9.9 Vulnerability Briefing

CVE-2025-20333 | CVSS 9.9 (Critical) | Exploit: PoC available

What Is It

CVE-2025-20333 is an authenticated remote code execution vulnerability in the VPN web server component of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software, exploitable by any attacker holding valid VPN user credentials.

Technical Detail

The flaw stems from improper validation of user-supplied input in HTTP and HTTPS requests processed by the VPN web server. An attacker with valid VPN credentials can send specially crafted HTTP requests to trigger the vulnerability, resulting in arbitrary code execution on the affected device. Successful exploitation would give the attacker the ability to run code in the context of the affected system, potentially enabling full device compromise, configuration manipulation, or use of the device as a pivot point into protected network segments.

Exploitation Status

A proof-of-concept exploit is publicly available. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, meaning active in-the-wild exploitation has not been formally confirmed by CISA as of this writing. However, the combination of a CVSS score of 9.9, a low authentication barrier (standard VPN credentials), and the availability of a PoC significantly elevates the risk of exploitation in the near term.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this CVE. Given the high-value nature of perimeter firewall and VPN infrastructure, and the historical targeting of Cisco ASA and FTD devices by nation-state and ransomware-affiliated actors, this vulnerability warrants close monitoring for emerging attribution.

What To Do

Apply Cisco's patches for affected ASA and FTD software versions immediately, prioritizing internet-facing devices with VPN services enabled. Organizations should consult Cisco Security Advisory documentation to identify their specific affected software train and the corresponding fixed release. As an interim measure, restrict VPN web server access to known, trusted IP ranges where operationally feasible, and enforce multi-factor authentication for all VPN user accounts to raise the credential bar for exploitation. Review authentication logs for anomalous or unexpected HTTP request patterns against the VPN web interface. Given the critical CVSS score and PoC availability, treat this as a high-priority patch cycle regardless of KEV status.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →