Cisco Adaptive Security Appliance (ASA) Software - Authentication Bypass (CVE-2025-20362)

CVE-2025-20362 is a vulnerability in the VPN web server of Cisco ASA and Firepower Threat Defense Software that allows unauthenticated, remote attackers to access restricted VPN-related URL endpoints. By exploiting improper validation of user input in HTTP(S) requests, attackers can bypass authentication controls and gain unauthorized access to sensitive resources, potentially exposing confidential information or enabling further attacks.

CrowdSec has been tracking this vulnerability and its exploits since 15th of October 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2025-20362 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. In addition, according to the CrowdSec network, attack volume against CVE-2025-20362 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Attackers exploit this vulnerability by sending crafted requests to URLs containing /+CSCOU+//../+CSCOE+/files/file_action.html, targeting restricted VPN web server endpoints on Cisco ASA and FTD devices to bypass authentication.