CVE-2025-20362 - Vulnerability Details

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication that should otherwise be inaccessible without authentication.

This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since today.

No EPSS score available.

Exploitation active

Automatable yes

Technical Impact partial

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks

History

Thu, 25 Sep 2025 18:15:00 +0000

Type	Values Removed	Values Added
References		https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks

Thu, 25 Sep 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 25 Sep 2025 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2025-09-25T00:00:00+00:00', 'dueDate': '2025-09-26T00:00:00+00:00'}`

Thu, 25 Sep 2025 16:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.
Weaknesses		CWE-862
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2025-09-25T16:12:35.916Z

Updated: 2025-09-25T17:16:50.945Z

Reserved: 2024-10-10T19:15:13.258Z

Link: CVE-2025-20362

Vulnrichment

Updated: 2025-09-25T17:04:06.661Z

NVD

Status : Received

Published: 2025-09-25T16:15:32.280

Modified: 2025-09-25T18:15:38.167

Link: CVE-2025-20362

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation active

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object