Cisco Firewall, Unified CCX, and ISE Vulnerability Summary (Nov 2025)
None
<div class="fusion-fullwidth fullwidth-box fusion-builder-row-1 fusion-flex-container nonhundred-percent-fullwidth non-hundred-percent-height-scrolling" style="--awb-border-radius-top-left:0px;--awb-border-radius-top-right:0px;--awb-border-radius-bottom-right:0px;--awb-border-radius-bottom-left:0px;"> <div class="fusion-builder-row fusion-row fusion-flex-align-items-flex-start" style="max-width:1248px;margin-left: calc(-4% / 2 );margin-right: calc(-4% / 2 );"> <div class="fusion-layout-column fusion_builder_column fusion-builder-column-0 fusion_builder_column_1_1 1_1 fusion-flex-column" style="--awb-bg-size:cover;--awb-width-large:100%;--awb-margin-top-large:0px;--awb-spacing-right-large:1.92%;--awb-margin-bottom-large:20px;--awb-spacing-left-large:1.92%;--awb-width-medium:100%;--awb-order-medium:0;--awb-spacing-right-medium:1.92%;--awb-spacing-left-medium:1.92%;--awb-width-small:100%;--awb-order-small:0;--awb-spacing-right-small:1.92%;--awb-spacing-left-small:1.92%;"> <div class="fusion-column-wrapper fusion-column-has-shadow fusion-flex-justify-content-flex-start fusion-content-layout-column"> <div class="fusion-text fusion-text-1" style="--awb-text-transform:none;"> <h2><span style="font-weight: 400;">CVE-2025-20333 and CVE-2025-20362 Details</span></h2> <p><span style="font-weight: 400;">Cisco disclosed a new active attack variant targeting and exploiting the previously known vulnerabilities in the Cisco Secure Firewall ASA and FTD software (CVE-2025-20333 and CVE-2025-20362) leading to unpatched devices to reboot/reload unexpectedly creating the conditions needed for a denial of service (DoS) attack.</span><span style="font-weight: 400;"><br> </span><span style="font-weight: 400;"><br> </span><span style="font-weight: 400;">The critical remote code execution (RCE) vulnerability, CVE-2025-20333, exists in the VPN web server component of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software. This flaw arises when improper validation of user-supplied inputs in HTTP(S) requests is handled by the VPN web service. An authenticated remote attacker (with valid VPN credentials) can send crafted HTTP requests to execute arbitrary code as root, leading to full device compromise and takeover. Cisco confirmed the active exploitation attempts using this new attack variant to trigger unexpected device reloads (DoS) on unpatched ASA/FTD systems, linked to previously observed exploitation of CVE-2025-20362.</span><span style="font-weight: 400;"><br> </span><span style="font-weight: 400;"><br> </span><span style="font-weight: 400;">While the medium unauthorized access vulnerability, CVE-2025-20362, also found within the VPN web server component is caused by improper validation of user-supplied HTTP(S) input, allowing unauthenticated remote attackers to access restricted VPN-related URLs that should require authentication. When successfully exploited this could enable limited access to protected resources or services**, but not full system compromise.</span><span style="font-weight: 400;"><br> </span><span style="font-weight: 400;"><br> </span><span style="font-weight: 400;">Both vulnerabilities impact the Cisco Secure Firewall ASA and FTD software with remote access VPN features enabled, including SSL and IKEv2 configurations. However, the Cisco Secure Firewall Management Center (FMC) is not affected.</span><span style="font-weight: 400;"><br> </span><span style="font-weight: 400;"><br> </span><span style="font-weight: 400;">Cisco urges immediate upgrade to patched versions as no configuration-based mitigation exists.</span></p> <p><span style="font-weight: 400;">Use the Cisco Software Checker for “First Fixed” or “Combined First Fixed” releases.</span></p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div> <p><span style="font-weight: 400;">ASA 9.12 → Fixed in 9.12.4.72 (final)</span></p> <p><span style="font-weight: 400;">ASA 9.14 → Fixed in 9.14.4.28 (final)</span></p> <p><span style="font-weight: 400;">Note: Models 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, and 5585-X are end-of-support; migration to supported hardware is advised.</span><span style="font-weight: 400;"><br> </span><span style="font-weight: 400;"><br> </span><span style="font-weight: 400;">It is also recommended to Enable Threat Detection for VPN Services (ASA CLI Guide) to identify and block malformed login attempts. With additional monitoring for: </span><span style="font-weight: 400;"><br> </span> <span style="font-weight: 400;">1. Unauthenticated or malformed HTTP(S) requests to </span><span style="font-weight: 400;">/+CSCOE+/</span><span style="font-weight: 400;"> or VPN endpoints</span></p> <p>2. Unexpected device reloads, WebVPN restarts, or HTTP parsing errors</p> <p>3. Unusual VPN login patterns or log anomalies involving webvpn traffic</p> <p><span style="font-weight: 400;"><br> </span><span style="font-weight: 400;">Resources:</span><span style="font-weight: 400;"><br> </span><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB"><span style="font-weight: 400;">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB</span><span style="font-weight: 400;"><br> </span></a><a href="https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW"><span style="font-weight: 400;">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW</span><span style="font-weight: 400;"><br> </span></a><a href="https://nvd.nist.gov/vuln/detail/cve-2025-20333"><span style="font-weight: 400;">https://nvd.nist.gov/vuln/detail/cve-2025-20333</span><span style="font-weight: 400;"><br> </span></a><a href="https://nvd.nist.gov/vuln/detail/cve-2025-20362"><span style="font-weight: 400;">https://nvd.nist.gov/vuln/detail/cve-2025-20362</span><span style="font-weight: 400;"><br> </span></a></p> <p><span style="font-weight: 400;">Possible Detection Resources:</span><span style="font-weight: 400;"><br> </span><a href="https://unit42.paloaltonetworks.com/zero-day-vulnerabilities-affect-cisco-software/"><span style="font-weight: 400;">https://unit42.paloaltonetworks.com/zero-day-vulnerabilities-affect-cisco-software/</span><span style="font-weight: 400;"><br> </span></a><a href="https://www.rapid7.com/blog/post/etr-cve-2025-20333-cve-2025-20362-cve-2025-20363-multiple-critical-vulnerabilities-affecting-cisco-products/"><span style="font-weight: 400;">https://www.rapid7.com/blog/post/etr-cve-2025-20333-cve-2025-20362-cve-2025-20363-multiple-critical-vulnerabilities-affecting-cisco-products/</span><span style="font-weight: 400;"><br> </span></a><a href="https://attackerkb.com/topics/Szq5u0xgUX/cve-2025-20362/rapid7-analysis"><span style="font-weight: 400;">https://attackerkb.com/topics/Szq5u0xgUX/cve-2025-20362/rapid7-analysis</span><span style="font-weight: 400;"><br> </span></a><a href="https://www.zscaler.com/blogs/security-research/cisco-firewall-and-vpn-zero-day-attacks-cve-2025-20333-and-cve-2025-20362"><span style="font-weight: 400;">https://www.zscaler.com/blogs/security-research/cisco-firewall-and-vpn-zero-day-attacks-cve-2025-20333-and-cve-2025-20362</span><span style="font-weight: 400;"><br> </span></a><a href="https://research.splunk.com/network/7e9a5a2c-2f1a-4b6a-9a4b-9e7d9c8f5a21/"><span style="font-weight: 400;">https://research.splunk.com/network/7e9a5a2c-2f1a-4b6a-9a4b-9e7d9c8f5a21/</span><span style="font-weight: 400;"><br> </span></a><a href="https://research.splunk.com/network/3b8d2b4f-4e1e-4a9e-9b43-8a7a3a9c7e21/"><span style="font-weight: 400;">https://research.splunk.com/network/3b8d2b4f-4e1e-4a9e-9b43-8a7a3a9c7e21/</span><span style="font-weight: 400;"><br> </span></a><a href="https://research.splunk.com/network/ded9f9d7-edb8-48cf-8b72-1b459eee6785/"><span style="font-weight: 400;">https://research.splunk.com/network/ded9f9d7-edb8-48cf-8b72-1b459eee6785/</span><span style="font-weight: 400;"><br> </span></a><a href="https://research.splunk.com/application/4b4f8fdd-1f9e-45d8-9b0f-1f64c0b297a4/"><span style="font-weight: 400;">https://research.splunk.com/application/4b4f8fdd-1f9e-45d8-9b0f-1f64c0b297a4/</span><span style="font-weight: 400;"><br> </span></a><a href="http://research.splunk.com/network/b71e57e8-c571-4ff1-ae13-bc4384a9e891/"><span style="font-weight: 400;">research.splunk.com/network/b71e57e8-c571-4ff1-ae13-bc4384a9e891/</span><span style="font-weight: 400;"><br> </span></a><a href="https://research.splunk.com/application/7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201/"><span style="font-weight: 400;">https://research.splunk.com/application/7b4c9f3e-5a88-4b7b-9c4b-94d8e5d67201/</span><span style="font-weight: 400;"><br> </span></a><a href="https://medium.com/@abdul.myid/sigma-rule-unauthenticated-access-attempts-to-cisco-asa-ftd-webvpn-noise-reduced-f570f89f9403"><span style="font-weight: 400;">https://medium.com/@abdul.myid/sigma-rule-unauthenticated-access-attempts-to-cisco-asa-ftd-webvpn-noise-reduced-f570f89f9403</span></a><span style="font-weight: 400;"> </span></p> </div> </div> </div> </div> </div><p>The post <a href="https://hurricanelabs.com/security-advisory/cisco-firewall-unified-ccx-and-ise-vulnerability-summary-nov-2025/">Cisco Firewall, Unified CCX, and ISE Vulnerability Summary (Nov 2025)</a> appeared first on <a href="https://hurricanelabs.com/">Hurricane Labs</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/cisco-firewall-unified-ccx-and-ise-vulnerability-summary-nov-2025/" data-a2a-title="Cisco Firewall, Unified CCX, and ISE Vulnerability Summary (Nov 2025)"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fcisco-firewall-unified-ccx-and-ise-vulnerability-summary-nov-2025%2F&linkname=Cisco%20Firewall%2C%20Unified%20CCX%2C%20and%20ISE%20Vulnerability%20Summary%20%28Nov%202025%29" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fcisco-firewall-unified-ccx-and-ise-vulnerability-summary-nov-2025%2F&linkname=Cisco%20Firewall%2C%20Unified%20CCX%2C%20and%20ISE%20Vulnerability%20Summary%20%28Nov%202025%29" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fcisco-firewall-unified-ccx-and-ise-vulnerability-summary-nov-2025%2F&linkname=Cisco%20Firewall%2C%20Unified%20CCX%2C%20and%20ISE%20Vulnerability%20Summary%20%28Nov%202025%29" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fcisco-firewall-unified-ccx-and-ise-vulnerability-summary-nov-2025%2F&linkname=Cisco%20Firewall%2C%20Unified%20CCX%2C%20and%20ISE%20Vulnerability%20Summary%20%28Nov%202025%29" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fcisco-firewall-unified-ccx-and-ise-vulnerability-summary-nov-2025%2F&linkname=Cisco%20Firewall%2C%20Unified%20CCX%2C%20and%20ISE%20Vulnerability%20Summary%20%28Nov%202025%29" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://hurricanelabs.com/">Hurricane Labs</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Jude Lindale">Jude Lindale</a>. Read the original post at: <a href="https://hurricanelabs.com/security-advisory/cisco-firewall-unified-ccx-and-ise-vulnerability-summary-nov-2025/?utm_source=rss&utm_medium=rss&utm_campaign=cisco-firewall-unified-ccx-and-ise-vulnerability-summary-nov-2025">https://hurricanelabs.com/security-advisory/cisco-firewall-unified-ccx-and-ise-vulnerability-summary-nov-2025/?utm_source=rss&utm_medium=rss&utm_campaign=cisco-firewall-unified-ccx-and-ise-vulnerability-summary-nov-2025</a> </p>