Jorge VicenteOct 31, 2025
Welcome to **The Researcher’s Desk **– a content series where the Detectify security research team will conduct a technical autopsy on vulnerabilities that are particularly interesting, complex, or persistent. The goal here is not to report the latest research (for which you can refer to the Detectify release log); it is to take a closer look at certain vulnerabilities, regardless of their disclosure date, that still offer critical lessons.
For our first case file, we examine the exploit chain targeting Cisco ASA and FTD firewalls, beginning with the unauthenticated access flaw, CVE-2025-20362.
The case file
- **Disclosure Date: **September 25, 2025
- **Bypass Flaw: **CVE-2025-20362 wit…
Jorge VicenteOct 31, 2025
Welcome to **The Researcher’s Desk **– a content series where the Detectify security research team will conduct a technical autopsy on vulnerabilities that are particularly interesting, complex, or persistent. The goal here is not to report the latest research (for which you can refer to the Detectify release log); it is to take a closer look at certain vulnerabilities, regardless of their disclosure date, that still offer critical lessons.
For our first case file, we examine the exploit chain targeting Cisco ASA and FTD firewalls, beginning with the unauthenticated access flaw, CVE-2025-20362.
The case file
- **Disclosure Date: **September 25, 2025
- **Bypass Flaw: **CVE-2025-20362 with CVSS 6.5
- **Execution Flaw: **CVE-2025-20333 with CVSS 9.9
- **Vulnerable Component: **VPN Web Server on Cisco ASA/FTD
- **Final Impact: **Unauthenticated Remote Code Execution (RCE)
- **Observations: **Flaws were actively exploited as zero-days before patches were available
**What’s the root cause of CVE-2025-20362? **
The access flaw, CVE-2025-20362 (Missing Authorization, CWE-862), is essentially a failure in user input validation, typically manifesting as a Path Traversal/Normalization issue.
When an attacker sends a carefully crafted HTTP request containing specific directory traversal sequences, the VPN web server’s logic fails to correctly identify the request as unauthenticated. Instead, the server’s authorization component is bypassed, treating the request as if a session already exists. This grants the remote attacker access to critical, restricted URL endpoints—endpoints that are not designed for public interaction.
**What’s the mechanism behind CVE-2025-20362? **
The primary lesson of this case is chainability. While CVE-2025-20362 alone carries a moderate score, its true severity is realized when it is used to nullify the only defense protecting the second vulnerability, CVE-2025-20333 (a Buffer Overflow).
- Latch Opened. The attacker uses a crafted request to exploit the input validation flaw CVE-2025-20362, bypassing the need for a login.
- Execution Delivered. The attacker then targets the now-exposed critical endpoint with the payload designed to trigger the Buffer Overflow CVE-2025-20333. (CVE-2025-20333 alone requires valid VPN credentials)
- Result: The chain achieves Unauthenticated Remote Code Execution with privileges on the firewall: a complete takeover of the network perimeter.
Our team chose this flaw because it is an excellent example of a modern, high-stakes attack. The entire chain has been leveraged by sophisticated, state-sponsored campaigns, demonstrating that attackers prioritize the easiest way in, often starting with a moderate-severity bypass to unlock a critical vulnerability. It proves that defenders must identify and fix every link in a potential chain, not just the high-score vulnerabilities.
Defensive takeaways
- Patching: Immediately upgrade to the latest, fixed Cisco releases.
- Segment and Isolate: If possible, restrict administrative and VPN web server access to only trusted IPs via upstream ACLs.
- The Detectify Approach: Detectify customers are running payload-based testing to check for the precise input normalization failure of CVE-2025-20362.
Questions? Get in touch with us via support@detectify or book a demo.