Rapid7 Details Cisco ASA Zero-Day Exploit Chain (CVE-2025-20362 & CVE-2025-20333)

Security researchers at Rapid7 have published a detailed technical analysis uncovering how a pair of zero-day vulnerabilities in Cisco Secure Firewall ASA and FTD software were exploited in-the-wild to achieve unauthenticated remote code execution. The flaws — tracked as CVE-2025-20362 and CVE-2025-20333 — form a lethal exploit chain that bypasses authentication and triggers a buffer overflow in the device’s WebVPN feature.

On September 25, 2025, Cisco published advisories for two new vulnerabilities, CVE-2025-20362, and CVE-2025-20333, which are known to be exploited in-the-wild as a zero-day, by an as-yet unknown threat actor in what appears to be a highly targeted attack.

CVE-2025-20362 is an authentication bypass via path traversal, while CVE-2025-20333 is a buffer overflow that allows memory corruption — together enabling unauthenticated remote code execution (RCE) on vulnerable appliances.

Rapid7 explains, “The vulnerabilities, CVE-2025-20362 and CVE-2025-20333, comprise an exploit chain that allows an attacker to achieve unauthenticated remote code execution (RCE) against a vulnerable device.” The company adds that both flaws affect systems with WebVPN (clientless VPN) enabled, a feature that lets users log in over HTTPS rather than through a dedicated VPN client.

The root cause of CVE-2025-20333 lies in the improper handling of boundary strings within a Lua script used by the WebVPN service. Specifically, the researchers describe how a missing size check in the vulnerable version of the code allows data to be written beyond the allocated 8,192-byte buffer, leading to memory corruption.

@@ -156,18 +156,22 @@ if("upload" == mode) then
   local bufsize = 8192
   local buf = BUFFER_ALLOC(bufsize)

   _, _, _, boundary = string.find(boundary, "([^;]+);(.*)")
   --_DEBUG_PRINT("boundary ..." .. boundary)
   if boundary ~= nil then
     --_DEBUG_PRINT("boundary ..." .. boundary)
     _, _, _, boundary = string.find(boundary, "([^=])=(.*)")
-    if (boundary ~= nil) and (left >= (string.len(boundary) + 8)) then
-      left = left - (string.len(boundary) + 8)
+    local boundary_length = 0
+    if (boundary ~= nil) then
+      boundary_length = string.len(boundary) + 8
+    end
+    if (boundary ~= nil) and (boundary_length < bufsize) and (left >= boundary_length) then
+      left = left - boundary_length
       if (buf ~= nil) and (fs ~= nil) and (server ~= nil) and (path ~= nil) and (leftstr ~= nil) then
         local readinlen = 0
         local filename = ""

         left, readinlen, csrf_token_valid  = readCSRFtoken(buf, bufsize, readinlen, left)

         if csrf_token_valid ~= false then
           left, readinlen, filename = readfilename(buf, bufsize, readinlen, left)
@@ -221,17 +225,17 @@ if("upload" == mode) then
           if fo ~= nil then
             FILE_CLOSE(fo)
             if failed == false then
               ret = true
             end
           end
         end -- if filename ~= ""
       end -- parameters passed in from url
-      HTTP_CONTENTTOBUFFER(buf, string.len(boundary) + 8)
+      HTTP_CONTENTTOBUFFER(buf, boundary_length)
     end -- boundary
     -- read the remaining stuff

As the report notes, “We can see from the diff that the patched version adds a new variable boundary_length… and a new check to ensure the boundary_length is less than the bufsize, which we can see is 8192 bytes.” Without this check, an attacker could trigger an overflow by sending an HTTP request with a crafted Content-Type boundary exceeding that limit.

The authentication bypass (CVE-2025-20362) is equally cunning. Rapid7’s researchers discovered that Cisco’s WebVPN endpoints could be reached without authentication due to a path normalization flaw — a variant of a 2018 issue (CVE-2018-0296).

“We observed in our binary diff that the function UrlSniff_cb was modified in the patch,” Rapid7 writes. “As this is the function that applies path normalization… we wrote a simple fuzzer to test for variations of CVE-2018-0296 against our desired endpoint.”

The team’s fuzzer quickly revealed that certain traversal sequences such as /+CSCOU+//../+CSCOE+/files/file_action.html
could bypass authentication entirely. The researchers confirm, “We can see that a path normalization issue is present, and that an authentication bypass, very similar to CVE-2018-0296, allows us to access our target authenticated endpoint with no authentication.”

This path traversal flaw enables attackers to directly access restricted WebVPN endpoints — including the one vulnerable to the buffer overflow — without valid credentials.

Rapid7 chained both vulnerabilities in a proof-of-concept (PoC) exploit that crashes the vulnerable Cisco process lina, effectively confirming the exploitability of the flaws.

When executed against a vulnerable Cisco ASAv version 9.16.4.71, the PoC reliably caused the device to crash and reboot, a hallmark of heap corruption due to uncontrolled memory writes. While Rapid7 did not weaponize the overflow for arbitrary code execution, the analysis demonstrates how trivial it would be for advanced threat actors to develop a full exploit.

Cisco has issued patches addressing these vulnerabilities in version 9.16.4.85 and later, and confirmed that exploitation has been observed in targeted attacks. Network administrators are urged to disable clientless VPN (WebVPN) if not strictly necessary, and to update immediately.

Related Posts:

• Linux Kernel Vulnerability Exposes Local Systems to Privilege Escalation, PoC Published
• CRITICAL Cisco Zero-Day (CVE-2025-20333, CVSS 9.9) Under Active Attack: VPN Flaw Allows Root RCE
• Cisco Zero-Day CVE-2025-20362 Under Attack: VPN Flaw in ASA/FTD Exposes Restricted Resources
• Cisco Confirms Active Exploitation of Decade-Old WebVPN Vulnerability in ASA Software
• Kimsuky APT: New TTPs Revealed in Rapid7 Cybersecurity Report