Cisco has released an urgent security alert after confirming active exploitation of a serious zero-day vulnerability in its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) platforms.
The flaw, tracked as CVE-2025-20333, has been given the highest possible severity score (CVSS 9.9). It affects devices with remote access VPN services enabled, allowing attackers with valid VPN credentials to send malicious requests to the VPN web server. Successful exploitation grants full root access, opening the door to backdoors, data theft, or further movement into internal networks. Cisco has confirmed exploitation attempts in the wild and stressed the urgency of patching affected systems without delay.
At its core, the issue is a buffer overflow in the VPN web server, triggered by specially crafted HTTPS requests. A buffer overflow happens when more data is sent into a memory buffer than it can hold, causing the excess to spill into adjacent memory. By deliberately shaping this overflow, attackers can overwrite instructions and hijack execution flow, forcing the system to run their malicious code. With valid VPN credentials in hand, this flaw allows a complete takeover of the firewall.
Devices are considered at risk if they have the following VPN features enabled:
AnyConnect IKEv2 Remote Access with client services
SSL VPN services
Mobile User Security (MUS) implementations
Because the flaw specifically targets SSL sockets in these VPN configurations, organisations with remote access VPNs are the most exposed.
Alongside the critical RCE flaw, Cisco also disclosed CVE-2025-20362, a medium-severity vulnerability (CVSS 6.5). This one doesn’t require credentials: attackers can exploit weaknesses in input validation to access restricted URL endpoints on the VPN web server. In short, it allows unauthorised access to sensitive resources without logging in.
CVE-2025-20333 – Cisco ASA/FTD VPN Web Server Remote Code Execution – CVSS 9.9 – Critical
CVE-2025-20362 – Cisco ASA/FTD VPN Web Server Unauthorised Access – CVSS 6.5 – Medium
A separate vulnerability has been disclosed in Fortra’s GoAnywhere Managed File Transfer (MFT) platform. The issue, CVE-2025-10035, is a deserialisation flaw in the licensing servlet rated CVSS 10.0. Under certain conditions, it can lead to remote code execution.
While no public exploitation has been confirmed yet, the severity means this should be treated as critical. Unpatched systems remain at risk, and prompt upgrading to the vendor’s fixed release is essential.
Use Cisco’s Software Checker to confirm which versions are vulnerable and update to the fixed releases immediately.
Audit VPN configurations with the command show running-config to identify affected services.
Disable IKEv2 client services and SSL VPN features where patching cannot be applied straight away.
Increase monitoring of VPN authentication and web service logs.
Apply strict access controls and firewall rules to reduce exposure if disabling services is not possible.
Upgrade to the vendor’s patched version without delay.
Restrict external access to administrative interfaces.
Test instances for exposure using available detection methods.
Review logs for anomalies or signs of compromise.
Prioritise patching and mitigation on externally exposed systems.
Ensure incident response plans and backups are ready.
Brief technical teams so suspicious activity is spotted quickly.
The Cisco flaws are already being exploited in live attacks, with evidence pointing to advanced threat groups targeting high-value environments. The GoAnywhere issue has not yet been weaponised publicly, but with a maximum CVSS score, it demands immediate action. Together, these vulnerabilities highlight how exposed remote access and file transfer systems remain prime targets for attackers.
CISA has also issued emergency mitigation guidance for the Cisco vulnerabilities, underlining the seriousness of the threat. Organisations should move quickly to patch, review monitoring, and restrict access where needed.