Cisco Adaptive Security Appliance (ASA) Software - Authentication Bypass (CVE-2025-20362)

CVE-2025-20362 is a vulnerability in the VPN web server of Cisco ASA and Firepower Threat Defense Software that allows unauthenticated, remote attackers to access restricted VPN-related URL endpoints. By exploiting improper validation of user input in HTTP(S) requests, attackers can bypass authentication controls and gain unauthorized access to sensitive resources, potentially exposing confidential information or enabling further attacks.

CrowdSec has been tracking this vulnerability and its exploits since 15th of October 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2025-20362 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. CrowdSec data also reveals a clear uptick in attacks involving CVE-2025-20362 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit this vulnerability by sending crafted requests to URLs containing /+CSCOU+//../+CSCOE+/files/file_action.html, targeting restricted VPN web server endpoints on Cisco ASA and FTD devices to bypass authentication.