Cisco Secure Firewall ASA and FTD, VPN web server authentication bypass / missing authorization (ASA/FTD WebVPN)

Overview

CVE-2025-20362 is a high-severity authorization-bypass vulnerability in the VPN web server of Cisco Secure Firewall ASA Software and Cisco Secure Firewall Threat Defense (FTD) Software. It allows an unauthenticated, remote attacker to access restricted URL endpoints related to remote access VPN that should otherwise be inaccessible without authentication. Cisco published advisory cisco-sa-asaftd-webvpn-YROOTUW (CVSS 3.1 8.6 per NVD; 6.5 per the Cisco CNA), and CISA added the CVE to its Known Exploited Vulnerabilities catalog on September 25, 2025. The Cisco PSIRT confirmed attempted exploitation, and the flaw was chained with the companion RCE CVE-2025-20333 in attacks against ASA/FTD devices. A subsequent attack variant identified on November 5, 2025, can force affected devices to reload, producing a denial-of-service condition.

Technical Details

The root cause is improper validation of user-supplied input in HTTP(S) requests handled by the VPN web server (WebVPN). Because the server does not correctly enforce authorization on certain URL endpoints, an attacker can craft requests that reach functionality intended to be available only after authentication, classifying the weakness as CWE-862 (Missing Authorization). The NVD primary metrics are network attack vector (AV:N), low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), with low confidentiality and integrity impact but high availability impact (C:L/I:L/A:H), yielding a base score of 8.6. The high availability weighting reflects the later variant that can crash and reload the device. The vulnerability is exploitable only when remote access VPN web services such as SSL VPN, AnyConnect IKEv2 with client services, or Mobile User Security (MUS) are enabled. There are no workarounds; Cisco directs administrators to the Cisco Software Checker to identify the first fixed release for their specific platform and version.

Impact

• Unauthenticated, remote access to restricted remote-access-VPN URL endpoints that should require authentication.
• Exposure of, and limited tampering with, VPN web server functionality (low confidentiality and integrity impact per NVD).
• Denial of service through unexpected device reloads via a later attack variant (high availability impact).
• When chained with CVE-2025-20333, escalation toward remote code execution on the firewall.
• Compromise of a network perimeter device, undermining the security boundary it is meant to enforce.

Mitigation

1. Use the Cisco Software Checker referenced in advisory cisco-sa-asaftd-webvpn-YROOTUW to determine the first fixed release for your exact ASA or FTD platform and current version, then upgrade to that release or later. No workarounds are available.
2. For affected ASA 9.12 deployments without a standard fixed train, apply the interim fixed release ASA 9.12.4.72; for affected ASA 9.14 deployments, apply ASA 9.14.4.28.
3. Upgrade FTD Software to the first fixed release identified by the Cisco Software Checker for your platform (FTD 7.0 through 7.7.x trains are affected).
4. If remote access VPN web services are not required on a device, disable SSL VPN / WebVPN to remove the attack surface until patching is complete.
5. After upgrading, review device logs and configuration for signs of prior compromise and follow Cisco's continued-attacks guidance, including credential and certificate rotation where indicated.

Detection

Begin by establishing exposure: identify every ASA and FTD device with remote-access-VPN web services (SSL VPN, AnyConnect IKEv2 with client services, or Mobile User Security) enabled and reachable from the internet, then confirm each device's software version against the first fixed release from the Cisco Software Checker. Internet-facing devices running an unfixed release are the highest priority.

For exploitation detection, monitor the WebVPN interface for HTTP(S) requests to VPN-related URL endpoints that succeed without an associated authenticated VPN session. Anomalous or malformed request paths targeting WebVPN, high volumes of requests from unfamiliar source addresses, and access patterns that do not match legitimate AnyConnect/SSL VPN client behavior are strong indicators. Because this flaw has been chained with CVE-2025-20333, correlate suspicious WebVPN access with any signs of code execution, configuration changes, or new local accounts on the device.

Watch closely for unexpected device reloads or crashes, which the November 2025 attack variant can trigger; repeated unexplained reloads of an unpatched, internet-exposed ASA/FTD should be treated as possible active exploitation rather than routine instability. Review syslog and ASDM/FMC event data for crash traceback events, unusual administrative actions, and changes to VPN or web service configuration. Cisco has published specific guidance and indicators in its continued-attacks resource and the YROOTUW advisory; ingest those indicators into your monitoring tooling.

Given that this CVE is in CISA's KEV catalog with a confirmed exploitation history, federal and prudent enterprise practice is to assume targeting of any exposed, unpatched device. Capture forensic data (running configuration, crash dumps, logs) before remediation, and after upgrading, validate that the fixed release is running and that the previously reachable endpoints now enforce authentication. Continue to monitor Cisco PSIRT updates for this advisory, as additional variants and detection guidance have been issued over time.