CVE-2025-20362 [Exploited] | Cisco Adaptive Security Appliance… Denial of Service

Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and CVE-2025-20362. This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions. Cisco strongly recommends that all customers upgrade to the fixed software releases that are listed in the Fixed Software ["#fs"] section of this advisory. A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that are related to remote access VPN that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-07	46.78%	43.50%	-3.28%
2	2026-05-22	49.60%	46.78%	-2.82%
3	2026-05-21	—	49.60%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-07

46.78%

43.50%

-3.28%

2026-05-22

49.60%

46.78%

-2.82%

2026-05-21

—

49.60%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.5	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	3.9	2.5	[email protected]
8.6	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	4.7	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.5

3.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

3.9

2.5

[email protected]

8.6

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

4.7

[email protected]

Affected software / configurations for CVE-2025-20362

Vendor	Product	Version	Raw CPE
cisco	adaptive_security_appliance_software	>= 9.12, < 9.12.4.72	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
cisco	adaptive_security_appliance_software	>= 9.14, < 9.14.4.28	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
cisco	adaptive_security_appliance_software	>= 9.16, < 9.16.4.85	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
cisco	adaptive_security_appliance_software	>= 9.17.0, < 9.18.4.67	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
cisco	adaptive_security_appliance_software	>= 9.19, < 9.20.4.10	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
cisco	adaptive_security_appliance_software	>= 9.22, < 9.22.2.14	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
cisco	adaptive_security_appliance_software	>= 9.23, < 9.23.1.19	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
cisco	firepower_threat_defense	>= 7.0.0, < 7.0.8.1	cpe:2.3:a:cisco:firepower_threat_defense::::::::
cisco	firepower_threat_defense	>= 7.1.0, < 7.2.10.2	cpe:2.3:a:cisco:firepower_threat_defense::::::::
cisco	firepower_threat_defense	>= 7.3.0, < 7.4.2.4	cpe:2.3:a:cisco:firepower_threat_defense::::::::
cisco	firepower_threat_defense	>= 7.6.0, < 7.6.2.1	cpe:2.3:a:cisco:firepower_threat_defense::::::::
cisco	firepower_threat_defense	>= 7.7.0, < 7.7.10.1	cpe:2.3:a:cisco:firepower_threat_defense::::::::

References for CVE-2025-20362

URL	Tags
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW	Vendor Advisory
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks	Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20362	US Government Resource

URL

CVE-2025-20362

CISA KEV Record for CVE-2025-20362

Exploit prediction scoring system (EPSS) score for CVE-2025-20362

Common vulnerability scoring system (CVSS) metrics for CVE-2025-20362

Weakness enumeration for CVE-2025-20362

Affected software / configurations for CVE-2025-20362

References for CVE-2025-20362