6.5 CVE-2025-20362

CISA Kev Catalog

Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and CVE-2025-20362. This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions. Cisco strongly recommends that all customers upgrade to the fixed software releases that are listed in the Fixed Software ["#fs"] section of this advisory. A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that are related to remote access VPN that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.
https://nvd.nist.gov/vuln/detail/CVE-2025-20362

Categories

CWE-862 : Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action. "AuthZ" is typically used as an abbreviation of "authorization" within the web application security community. It is distinct from "AuthN" (or, sometimes, "AuthC") which is an abbreviation of "authentication." The use of "Auth" as an abbreviation is discouraged, since it could be used for either authentication or authorization. Automated dynamic analysis may find many or all possible interfaces that do not require authorization, but manual analysis is required to determine if the lack of authorization violates business logic. Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7]. Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs. chatbot Wordpress plugin does not perform authorization on a REST endpoint, allowing retrieval of an API key AI-enabled WordPress plugin has a missing capability check for a particular function, allowing changing public status of posts Go-based continuous deployment product does not check that a user has certain privileges to update or create an app, allowing adversaries to read sensitive repository information Web application does not restrict access to admin scripts, allowing authenticated users to reset administrative passwords. Web application stores database file under the web root with insufficient access control (CWE-219), allowing direct request. Terminal server does not check authorization for guest access. System monitoring software allows users to bypass authorization by creating custom forms. Content management system does not check access permissions for private files, allowing others to view those files. Product does not check the ACL of a page accessed using an "include" directive, allowing attackers to read unauthorized files. Web application does not restrict access to admin scripts, allowing authenticated users to modify passwords of other users. Database server does not use appropriate privileges for certain sensitive operations. Gateway uses default "Allow" configuration for its authorization settings. Chain: product does not properly interpret a configuration option for a system group, allowing users to gain privileges. Chain: SNMP product does not properly parse a configuration option for which hosts are allowed to connect, allowing unauthorized IP addresses to connect. Chain: reliance on client-side security (CWE-602) allows attackers to bypass authorization using a custom client. Chain: product does not properly handle wildcards in an authorization policy list, allowing unintended access. Chain: Bypass of access restrictions due to improper authorization (CWE-862) of a user results from an improperly initialized (CWE-909) I/O permission bitmap ACL-based protection mechanism treats negative access rights as if they are positive, allowing bypass of intended restrictions. Default ACL list for a DNS server does not set certain ACLs, allowing unauthorized DNS queries. Product relies on the X-Forwarded-For HTTP header for authorization, allowing unintended access by spoofing the header. OS kernel does not check for a certain privilege before setting ACLs for files. Chain: file-system code performs an incorrect comparison (CWE-697), preventing default ACLs from being properly applied. Chain: product does not properly check the result of a reverse DNS lookup because of operator precedence (CWE-783), allowing bypass of DNS-based access restrictions. Chain: unchecked return value (CWE-252) of some functions for policy enforcement leads to authorization bypass (CWE-862)

References

134c704f-9b21-4f2e-91b3-4a467353bcc0

https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_a... Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-20... US Government Resource

psirt@cisco.com

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory... Vendor Advisory

CPE

cpe	start	end
Configuration 1
cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::	>= 9.12	< 9.12.4.72
cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::	>= 9.14	< 9.14.4.28
cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::	>= 9.16	< 9.16.4.85
cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::	>= 9.17.0	< 9.18.4.67
cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::	>= 9.19	< 9.20.4.10
cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::	>= 9.22	< 9.22.2.14
cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::	>= 9.23	< 9.23.1.19
Configuration 2
cpe:2.3:a:cisco:firepower_threat_defense::::::::	>= 7.0.0	< 7.0.8.1
cpe:2.3:a:cisco:firepower_threat_defense::::::::	>= 7.1.0	< 7.2.10.2
cpe:2.3:a:cisco:firepower_threat_defense::::::::	>= 7.3.0	< 7.4.2.4
cpe:2.3:a:cisco:firepower_threat_defense::::::::	>= 7.6.0	< 7.6.2.1
cpe:2.3:a:cisco:firepower_threat_defense::::::::	>= 7.7.0	< 7.7.10.1

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
665	Exploitation of Thunderbolt Protection Flaws [Survey physical victim environment and potential Thunderbolt system targets] The adversary monitors the target's physical environment to identify systems with Thunderbolt interfaces, identify potential weaknesses in physical security in addition to periods of nonattendance by the victim over their Thunderbolt interface equipped devices, and when the devices are in locked or sleep state. [Evaluate the target system and its Thunderbolt interface] The adversary determines the device's operating system, Thunderbolt interface version, and any implemented Thunderbolt protections to plan the attack. [Obtain and/or clone firmware image] The adversary physically manipulates Thunderbolt enabled devices to acquire the firmware image from the target and/or adversary Thunderbolt host controller's SPI (Serial Peripheral Interface) flash. [Parse and locate relevant firmware data structures and information based upon Thunderbolt controller model, firmware version, and other information] The acquired victim and/or adversary firmware image is parsed for specific data and other relevant identifiers required for exploitation, based upon the victim device information and firmware version. [Disable Thunderbolt security and prevent future Thunderbolt security modifications (if necessary)] The adversary overrides the target device's Thunderbolt Security Level to "None" (SL0) and/or enables block protections upon the SPI flash to prevent the ability for the victim to perform and/or recognize future Thunderbolt security modifications as well as update the Thunderbolt firmware. [Modify/replace victim Thunderbolt firmware image] The modified victim and/or adversary thunderbolt firmware image is written to attacker SPI flash. [Connect adversary-controlled thunderbolt enabled device to victim device and verify successful execution of malicious actions] The adversary needs to determine if their exploitation of selected vulnerabilities had the intended effects upon victim device. [Exfiltration of desired data from victim device to adversary device] Utilize PCIe tunneling to transfer desired data and information from victim device across Thunderbolt connection.	Very High

MITRE

Techniques

id	description
T1211	Exploitation for Defensive Evasion
T1542.002	Pre-OS Boot:Component Firmware
T1556	Modify Authentication Process
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
M1051	Update software regularly by employing patch management for internal enterprise endpoints and servers.
M1051	Perform regular firmware updates to mitigate risks of exploitation and/or abuse.
M1018	Ensure that proper policies are implemented to dictate the the secure enrollment and deactivation of authentication mechanisms, such as MFA, for user accounts.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee