A newly disclosed 0-day vulnerability impacts Cisco ASA and FTD firewalls, enabling unauthenticated remote code execution via malformed HTTP(S) requests. The flaw results from improper validation in Lua scripting functions. Administrators are urged to patch immediately, as exploitation is reportedly active.
Cisco confirms that the bug arises in HTTPCONTENTTOBUFFER when processing oversized boundary values. Attackers send crafted requests to the endpoint CSCOEfilesfileaction.html, overflowing an 8192-byte buffer and triggering memory corruption.
Patches for affected systems, including ASAv version 9.16.4.85, address the flaw across multiple ASA and FTD branches. Cisco warns that when combined with an authentication bypass, the vulnerability allows full takeover of vulnerable firewalls.
Technical Details & Attack Vector
The underlying issue is a buffer overflow caused by boundary size miscalculation in user-supplied requests categorized as CWE-120 (Buffer Copy without Checking Size).
[Insert outbound link: Rapid7 advisory analysis]
Attackers must send HTTP(S) requests that exceed built-in limits. If the clientless VPN portal (WebVPN) is enabled on an ASA/FTD device, it opens the route for exploitation.
Combining this with an authentication bypass (such as CVE-2025-20362) lets an attacker reach the vulnerable code path without needing credentials. That chain executes arbitrary code in the firewall’s runtime context, giving full control.
Scope, Exposure & Real-World Activity
Shadowserver scans identify nearly 50,000 ASA/FTD devices still exposed. Many of these remain unpatched weeks after public disclosure.
The UAT4356/ArcaneDoor threat actor is believed to be behind the campaign. Cisco and allied agencies have tied the exploit activity to this group, which has used similar techniques in past firewall operations.
Given the high severity (CVE-2025-20333 has a 9.9 rating), the US CISA has issued Emergency Directive 25-03, mandating immediate identification and patching of affected systems.
Mitigation & Defensive Measures
-
Apply patches immediately, including ASAv 9.16.4.85 and corresponding FTD releases.
-
Disable WebVPN interfaces if not strictly needed.
-
Restrict access to the
CSCOEfilesfileaction.htmlendpoint through ACLs and reverse proxies. -
Enhance logging and alerting for oversized HTTP boundary strings and request anomalies.
-
Rotate keys, certificates, and credentials on affected firewalls.
-
Segment firewall management traffic to IP allowlists and MFA-protected zones.
Cisco also advises customers to avoid direct exposure of WebVPN or HTTPS interfaces to the internet without layers of protection.
FAQs
Q: Which systems are vulnerable?
A: ASA and FTD devices with WebVPN enabled and older software versions are affected.
Q: Can an attacker exploit this without credentials?
A: Yes, by chaining this buffer overflow with authentication bypass vulnerabilities, full takeover is possible.
Q: Has this been exploited in the wild?
A: Yes. Cisco confirms attack activity and has officially issued a patch.
Q: What data is at risk?
A: Full control over the firewall, which can lead to exfiltration of network traffic, configuration, and lateral compromise.
Q: Which deployments should prioritize patching?
A: Internet-facing firewalls, especially those exposing WebVPN or management portals.
2 thoughts on “Cisco Firewall Vulnerability CVE-20333 Allows RCE — Update Now”