PRP: Cisco Secure Firewall ASA / FTD (VPN Web Server) CVE-2025-20333 RCE

[0xXA]

• Identifier of the vulnerability: CVE-2025-20333
• Affected software: Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software (VPN Web Server components).
• Type of vulnerability: Remote Code Execution
• Requires authentication: Exploitation requires authentication
• Language you would use for writing the plugin: Templated plugins
• Resources:
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
  • https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices

[github-actions]

Welcome to the Tsunami patch reward program!

Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.

Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.

~The Tsunami PRP team

[github-actions]

This message is addressed to the Tsunami panel.

Contributor stats

• The contributor has 0 issues tagged as main;
• The contributor has 0 issues tagged as queue.

Useful links

• All open issues from this contributor
• All open PRs from this contributor

[tooryx]

Hi @0xXA,

Given that it requires authentication, we are not interested in that detector.

Thank you,
~tooryx

[0xXA]

Hi @0xXA,

Given that it requires authentication, we are not interested in that detector.

Thank you, ~tooryx

Hi @tooryx

CVE-2025-20333 when used together with CVE-2025-20362 doesn't need any authentication and we can trigger RCE.
You can read this blog: https://attackerkb.com/topics/Szq5u0xgUX/cve-2025-20362/rapid7-analysis

What do you think !?

Thanks,
Yuvraj

[tooryx]

Hi @0xXA,

Is there a way to setup an instance without a license? Instead of mocking the service, could you provide a README with instructions on how to setup a vulnerable instance?

~tooryx

[0xXA]

Hi @tooryx, Good day! I'm not sure if we can include a cisco product without a license but I think they have entitlement license or devnet which lets one setup trial labs, and these labs come with cisco products (like CISCO IOS) pre-deployed. As for the README, I'll include it in the security-testbeds repo. Like I said, it's straightforward to do it via mocking the service. Additionally, I will make sure to reduce false positives by including relevant stuffs from the Cisco labs into the mocked service.

[tooryx]

Automated message: Do not reply to that comment or tag the author. We just announced a temporary program freeze please see #752 for details. Thank you for your understanding and patience.