A critical zero-day vulnerability in Cisco Secure Firewall ASA and FTD software, tracked as CVE-2025-20333, is being actively exploited in the wild and poses a severe risk to global enterprises. With a CVSS score of high, it is one of the most dangerous firewall vulnerabilities discovered this year. Data from The Shadowserver Foundation revealed over 48,800 unpatched systems exposed on the internet as of September 29, 2025, with the United States being the most affected. The flaw specifically impacts the VPN web server component, a feature relied upon by millions of organizations for secure remote access.

The vulnerability stems from a CWE-120 buffer overflow caused by improper validation of user-supplied input in HTTP(S) requests. Exploitation requires valid VPN credentials, which threat actors can obtain through phishing, credential stuffing, or weak authentication mechanisms. Once authenticated, attackers can craft malicious requests to overflow memory buffers, allowing arbitrary code execution with root privileges. This grants complete control over targeted firewalls, enabling policy manipulation, traffic interception, and long-term backdoor installation. Cisco’s PSIRT has confirmed ongoing exploitation attempts, underscoring the urgency for organizations to respond quickly.

The attack surface is significant, as vulnerable configurations include AnyConnect IKEv2 Remote Access, Mobile User Security (MUS), and SSL VPN deployments all of which are widely deployed in enterprise environments supporting remote workforces. The absence of workarounds further heightens the risk, making the application of Cisco’s emergency patches the only effective mitigation. Given the critical role of these services, exploitation could have devastating consequences for organizations, potentially undermining both perimeter defenses and secure remote connectivity infrastructures.

Alongside this critical flaw, a secondary vulnerability, CVE-2025-20362, has been disclosed. Classified as a CWE-862 missing authorization issue, it allows unauthenticated attackers to access VPN endpoints without proper authentication, serving as a potential reconnaissance tool to aid in more advanced intrusions. Cisco has issued security updates for both vulnerabilities and urges immediate patching, along with a review of VPN authentication and monitoring controls to strengthen resilience against ongoing exploitation.