● Critical · CVSS 9.9 ⚠ ACTIVELY EXPLOITED — CISA KEV

How to Fix CVE-2025-20333: Cisco Secure Firewall ASA VPN Web Server Vulnerability

*By Sai Kiran Pandrala*

⚡ At a glance


Severity	CVSS 9.9 — Critical
Actively exploited?	Yes, listed in CISA KEV
Affected	Cisco Secure Firewall Adaptive Security Appliance (ASA) with VPN web server enabled
Fixed in	See the Cisco PSIRT advisory for the exact ASA build per train
Type (CWE)	See vendor advisory; vulnerability is in the VPN web server input handling

⚠️ Patch immediately. ASA firewalls sit at the perimeter and terminate VPN sessions. A vulnerability in the VPN web server is internet-reachable by definition.

What is CVE-2025-20333?

A vulnerability in the VPN web server component of Cisco Secure Firewall ASA (previously Cisco ASA / Firepower ASA) allows an attacker to compromise the appliance through the VPN management surface. The exact technical mechanism is detailed in the Cisco PSIRT advisory; the impact is firewall-level compromise.

Am I affected?

You are affected if you run Cisco Secure Firewall ASA with the VPN web server enabled, on a build below the patched train. Check your version:


show version | include Software

Compare against the Cisco PSIRT advisory's fixed-build table.

How to fix CVE-2025-20333

Open the Cisco PSIRT advisory (referenced below) and identify the patched ASA build for your train.
Download the patched image from Cisco's Software Download Center.
Schedule a maintenance window — ASA upgrades require a reload.
Upload the image to the ASA, set the boot variable, reload:


# Vendor advisory: https://sec.cloudapps.cisco.com/security/center/publicationListing.x
   conf t
   boot system disk0:/<image-name>
   write memory
   reload

For failover pairs, upgrade the standby first, fail over, then upgrade the formerly-active.

Upgrade the affected Cisco platform


! Verify the running release on the device
show version
show inventory

! Stage the patched image from the Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
copy tftp://<fileserver>/<patched-image>.bin flash:

! Set the boot image and reload in a maintenance window
configure terminal
boot system flash:<patched-image>.bin
end
write memory
reload

! After reload, confirm the new image is running
show version | include image

Verify the fix landed


# 1. Confirm the running version matches the fixed-in version from the advisory:
#    https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
#    Use the platform-specific version probe above.

# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
#    The scanner should no longer flag CVE-2025-20333 on the patched target.

# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"

If you can't patch immediately

Restrict the VPN web server's reachable network: this is internet-facing by purpose so true network-isolation is rarely possible. Consider geo-blocking, IP allowlisting via upstream firewall, and increased log monitoring on VPN access patterns until you can patch.

How to verify the fix worked


show version | include Software

Output should show the patched build. Run external vulnerability scans against the firewall's VPN endpoint to confirm CVE-2025-20333 detection clears.

Frequently asked questions

Is CVE-2025-20333 actively exploited?

Yes. CVE-2025-20333 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2025-20333?

Critical. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://sec.cloudapps.cisco.com/security/center/publicationListing.x

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

Official Cisco PSIRT advisory: https://sec.cloudapps.cisco.com/security/center/publicationListing.x
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20333
CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from the official Cisco PSIRT advisory, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Cisco's advisory before applying changes in production.*

Other vulnerabilities in the same area that are worth patching alongside this one:

How to Fix CVE-2025-20282: Improper Privilege Management in Cisco Identity Services Engine Software , Improper Privilege Management in Cisco Identity Services Engine Software
How to Fix CVE-2025-20362: Critical Vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software , Critical Vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
How to Fix CVE-2025-20309: Use of Hard-coded Credentials in Cisco Unified Communications Manager , Use of Hard-coded Credentials in Cisco Unified Communications Manager
How to Fix CVE-2025-20354: Unrestricted Upload of File with Dangerous Type in Cisco Unified Contact Center Express , Unrestricted Upload of File with Dangerous Type in Cisco Unified Contact Center Express
How to Fix CVE-2025-20124: Insecure Deserialization in Cisco ISE Passive Identity Connector , Insecure Deserialization in Cisco ISE Passive Identity Connector