Cisco Secure Firewall ASA & FTD, VPN web server buffer overflow RCE (ArcaneDoor)
A buffer overflow in the VPN web server of Cisco Secure Firewall ASA and FTD Software, caused by improper validation of user-supplied input in HTTP(S) requests, lets an authenticated remote attacker with valid VPN credentials execute arbitrary code as root. Chained with the authentication-bypass flaw CVE-2025-20362, it enables full unauthenticated device compromise and was exploited as a zero-day by a state-sponsored actor.
Overview
CVE-2025-20333 is a critical buffer overflow in the VPN web server of Cisco Secure Firewall ASA and FTD Software. An authenticated attacker holding valid VPN user credentials can send crafted HTTP(S) requests to overflow a buffer and execute arbitrary code as root, fully compromising the firewall. In the observed "ArcaneDoor" campaign it was chained with the unauthenticated authentication-bypass CVE-2025-20362, turning the pair into a remote, pre-authentication takeover. The threat actor (tracked as UAT4356 / Storm-1849) used it as a zero-day, prompting CISA Emergency Directive ED 25-03.
Technical Details
The VPN web server (WebVPN / AnyConnect) fails to validate the size of user-supplied input in HTTP requests, allowing a classic memory-corruption overflow. With CVE-2025-20362 providing access to restricted URL endpoints without authentication, an attacker reaches the vulnerable handler unauthenticated and overflows it to gain code execution at the highest privilege. Post-exploitation, ArcaneDoor deployed malware (RayInitiator bootkit and LINE VIPER shellcode loader) that survives reboots and firmware upgrades on certain hardware.
Impact
- Root-level remote code execution on the firewall, the most privileged node at the perimeter.
- Persistent implants: bootkit-class malware surviving reboot/upgrade on affected platforms.
- Full traffic and credential exposure: control of VPN sessions, decryption, and routing.
- State-sponsored targeting of government and critical infrastructure; CISA ordered emergency mitigation across federal agencies.
Mitigation
- Upgrade immediately to a fixed ASA/FTD release per Cisco advisory cisco-sa-asaftd-webvpn-z5xP8EUB; there are no workarounds.
- Hunt for compromise before/while patching per CISA ED 25-03 - assume internet-facing devices may already be implanted.
- If compromise is suspected, collect a core dump and engage Cisco TAC / IR, then reimage rather than merely patch.
- Restrict and monitor management/VPN web interfaces; disable unused WebVPN features.
Detection
- Use Cisco's documented forensic procedure (
show memory region, core dump analysis) to detect RayInitiator / LINE VIPER. - Watch for unexpected device reboots, crashes, or config changes around the September 25, 2025 disclosure.
- Correlate with CISA KEV (added September 25, 2025) and ED 25-03 indicators.