Introduction
Disruptions to remote access VPN services can halt business operations and disconnect critical infrastructure from remote management. CVE-2025-20251 is a newly disclosed vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that allows authenticated VPN users to create or delete arbitrary files on the device’s underlying operating system. If attackers target critical system files, the Remote Access SSL VPN service may become unresponsive, causing denial of service and requiring a manual reboot for recovery.
Cisco is a dominant force in enterprise network security, with ASA and FTD products deployed globally across government, finance, healthcare, and critical infrastructure sectors. Their security appliances are foundational to remote access and perimeter defense for thousands of organizations.
Technical Information
CVE-2025-20251 is caused by insufficient input validation in the Remote Access SSL VPN service of Cisco ASA and FTD. When processing HTTP requests from authenticated VPN users, the software does not properly validate input parameters that are subsequently used in file operations. This flaw enables attackers with valid VPN credentials to send crafted HTTP requests that can create or delete arbitrary files on the device’s underlying OS. The vulnerability is classified as CWE-1287 (Improper Validation of Specified Type of Input).
If an attacker manipulates or deletes critical system files, the VPN service can become unresponsive, dropping existing sessions and denying new connections. The only recovery is a manual reboot of the affected device. The vulnerability does not require elevated privileges beyond VPN user authentication, making it accessible to any compromised or malicious VPN user account.
No public code snippets or proof of concept have been released for this issue.
Patch Information
To address CVE-2025-20251, Cisco has released software updates for both ASA and FTD that enhance input validation in HTTP request processing. Administrators should upgrade affected devices to the fixed software versions as detailed in the official Cisco Security Advisory:
Applying the patch ensures that only authorized file operations are performed, mitigating the risk of service disruption.
Affected Systems and Versions
- Cisco Adaptive Security Appliance (ASA) Software: All versions supporting Remote Access SSL VPN prior to the fixed release (see Cisco advisory for exact version numbers)
- Cisco Firepower Threat Defense (FTD) Software: All versions supporting Remote Access SSL VPN prior to the fixed release (see Cisco advisory for exact version numbers)
- Only devices with Remote Access SSL VPN enabled are vulnerable
Refer to the Cisco advisory for detailed version and configuration information.
Vendor Security History
Cisco ASA and FTD products have experienced similar vulnerabilities in the past. Notable examples include:
- CVE-2024-20353 and CVE-2024-20359, both exploited in the ArcaneDoor campaign
- CVE-2020-3452, a directory traversal vulnerability in ASA and FTD web services
Cisco typically issues advisories and patches quickly, but recurring input validation flaws indicate ongoing challenges in secure development for web and VPN components.