A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FT...
Description
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote a...
Remediation
FEDERAL DEADLINE: September 25, 2025 (1 days). The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor’s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. FEDERAL DEADLINE: September 25, 2025 (1 days). The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor’s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. Update A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
CISA KEV Details
Deadline: September 25, 2025
Required Action: The KEV due date refers to the deadline by which FCEB agencies are expected to review and begin implementing the guidance outlined in Emergency Directive (ED) 25-03 (URL listed below in Notes). Agencies must follow the mitigation steps provided by CISA (URL listed below in Notes) and vendor’s instructions (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
Executive Summary:
A high-severity vulnerability has been identified in the web-based user interface of multiple Cisco products. An authenticated attacker with low-level privileges can remotely exploit this flaw to cause a denial of service, potentially crashing the device and leading to a network outage. Organizations should prioritize applying security updates to prevent disruption to critical network infrastructure.
Vulnerability Details
CVE-ID: CVE-2025-20327
Affected Software: Cisco Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability exists within the web UI component of Cisco IOS Software. A remote attacker who has successfully authenticated to the device, even with low-level user privileges, can exploit this flaw by sending a specially crafted request to the web UI. This action triggers an unhandled condition, causing the device to crash or become unresponsive, resulting in a denial of service (DoS).
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.7. Successful exploitation would result in a denial of service condition, making the affected network device unavailable. This can lead to significant business disruption, including network outages, loss of connectivity for critical services and users, and potential revenue loss. The primary risk is the interruption of business operations that rely on the availability of the network infrastructure managed by the affected Cisco devices.
Remediation Plan
Immediate Action: Apply the security updates provided by Cisco to all affected devices immediately. Before patching, review access logs for the web UI to identify any unusual or suspicious activity that could indicate previous exploitation attempts.
Proactive Monitoring: Monitor device logs for abnormal reloads or crashes. System administrators should also monitor web UI access logs for anomalous patterns, such as repeated requests from a single source or access from unauthorized IP addresses. Configure network monitoring tools to alert on high CPU or memory utilization on affected devices, which could be an indicator of an ongoing attack.
Compensating Controls: If patching cannot be performed immediately, implement compensating controls to reduce the attack surface. Restrict access to the device's web UI using access control lists (ACLs) to only allow connections from trusted administrative networks or workstations. If the web UI is not essential for operations, consider disabling the HTTP/HTTPS server feature on the device and rely on CLI access via SSH for management.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of the published date, September 24, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
Analyst Recommendation
Given the High severity rating (CVSS 7.7) and the potential for significant operational disruption, we strongly recommend that all affected Cisco devices be patched on an expedited basis. While the vulnerability requires authentication and is not yet on the CISA KEV list, the low privilege requirement makes it a tangible threat from insiders or attackers who have compromised a low-level account. Organizations should prioritize this remediation and implement the suggested compensating controls if patching is delayed.