When the firewall starts acting like a side door.
The CrowdSec Network is tracking continued exploitation of CVE-2025-20362, an authentication bypass in the VPN web server used by Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD). This is not the noisiest campaign on the internet, but it is the kind that matters: it targets remote-access infrastructure, and Cisco has tied it to broader real-world attacks against exposed firewall platforms.
Key findings
- The exposure window has been long enough for attackers to operationalize it: Cisco published CVE-2025-20362 on 25 September 2025, CrowdSec released detection coverage on 15 October 2025, and the CrowdSec network first observed exploitation on 27 October 2025.
- The activity is persistent, not theoretical: CrowdSec has tracked 292 attacking IPs overall, and the latest trend shows 2,330 signals across 89 days, with a peak of 142 signals in one day and up to 26 distinct sources in a single day.
- Business impact goes beyond a single URL bypass: On its own, CVE-2025-20362 grants unauthenticated access to restricted VPN-related endpoints. In real campaigns, Cisco and Rapid7 have both described it as part of a chain that can help attackers move from internet access to deeper device compromise.
What is Cisco ASA / Cisco FTD?
Cisco ASA and Cisco FTD are widely used firewall and remote-access VPN platforms that sit directly on the edge of the network. They are maintained by network administrators, infrastructure teams, and security operations teams to control traffic, broker remote access, and enforce perimeter security policy.
Why it matters: When a vulnerability affects a firewall or VPN gateway, the risk is not limited to a single application. It affects the system that decides who gets in. If an attacker can access restricted VPN functions without logging in, that firewall stops being a guard and becomes a shortcut into the environment. For organizations with internet-facing remote access, that can translate into downtime, incident response costs, credential exposure, and a much easier path toward ransomware or infrastructure takeover.
How does CVE-2025-20362 work?
According to Cisco, the flaw is caused by improper validation of user-supplied input in HTTP(S) requests handled by the VPN web server. In plain terms, the device does not correctly enforce authentication for some VPN-related URL endpoints, allowing an unauthenticated remote attacker to access pages that should have been behind the login wall.
Public detection content and Rapid7’s root-cause analysis indicate that attackers can use crafted requests against the WebVPN path to reach a restricted file-handling endpoint without valid credentials. That makes CVE-2025-20362 dangerous even though its standalone CVSS score is 6.5: the flaw sits on internet-facing security infrastructure, requires no login, and has already been observed in the wild.
Affected exposure depends on the configuration. Cisco says vulnerable devices are those running affected ASA or FTD releases with VPN web services enabled, including SSL VPN, Mobile User Security, or the AnyConnect IKEv2 client.
Original publications and analysis:
- Cisco security advisory
- Cisco event response to continued attacks
- Rapid7 analysis by Ryan Emmons
- ProjectDiscovery detection template
Research credit: Cisco PSIRT on LinkedIn and X, plus Rapid7 on LinkedIn and X.
Threat Landscape Analysis
CrowdSec telemetry shows a pattern that should concern defenders even without headline-grabbing botnet numbers. This CVE has remained active for months, with momentum still elevated and 2,330 observed signals in the latest 89-day window. That is consistent with a vulnerability that has moved from disclosure into routine attacker playbooks.
The threat context also matters. CrowdSec data ties this activity primarily to infrastructure takeover objectives, with additional overlap into ransomware and data exfiltration use cases. The highest observed target concentrations occur in commerce and small-office/home-office environments, while the top observed attacker origins include the Netherlands, Ireland, and the United States. In other words, this is not just noisy scanning for bragging rights. It is sustained pressure against real perimeter systems that many organizations depend on every day.
How to protect your systems
Patch: Apply Cisco’s fixed software releases immediately. The exact safe version depends on your branch, so use the Cisco Software Checker and the vendor advisory to identify the first fixed release for your ASA or FTD train.
Preemptive blocking: If patching cannot be done immediately, use CrowdSec intelligence to block known hostile sources at your internet-facing edge. The CrowdSec Security Engine, CrowdSec CTI, and CrowdSec Intelligence Blocklists can reduce exposure while you complete the upgrade window.