轉發 台灣電腦網路危機處理暨協調中心 TWCERTCC-200-202509-00000015

[內容說明]
【CVE-2025-20333】 Cisco安全防火牆自適應安全設備(ASA)和Cisco安全防火牆威脅防禦(FTD)的VPN Web伺服器中存在重大資安漏洞(CVE-2025-20333，CVSS：9.9)。此漏洞源自伺服器對使用者輸入HTTP(S)請求驗證不當，持有有效VPN使用者憑證的攻擊者，可藉由精心設計的HTTP請求，允許經身分驗證的遠端攻擊者以root身分在受影響設備執行任意程式碼。

【CVE-2025-20363】 Cisco安全防火牆自適應安全設備(ASA)、Cisco安全防火牆威脅防禦(FTD)軟體、Cisco IOS軟體、Cisco IOS XE軟體和Cisco IOS XR軟體的Web服務存在重大資安漏洞(CVE-2025-20363，CVSS：9.0)。此漏洞源於HTTP請求對使用者輸入驗證不當，攻擊者可向受影響設備的Web服務發送精心設計的HTTP請求，以root身分執行任意程式碼，從而導致受影響裝置中斷服務。

[影響平台]
1.建議至官方網站查詢版本以確定是否受此漏洞影響。https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

2.建議至官方網站查詢版本以確定是否受此漏洞影響。https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O

[建議措施]
根據官方網站釋出解決方式進行修補：https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
　
[參考資料]
1. https://www.twcert.org.tw/tw/cp-169-10411-12ff4-1.html
Forwarded by Taiwan Computer Emergency Readiness/Response Team (TWCERT/CC) - TWCERTCC-200-202509-00000015

[Description]
【CVE-2025-20333】A critical security vulnerability (CVE-2025-20333, CVSS: 9.9) exists in the VPN web server of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD). This vulnerability stems from improper validation of user input in HTTP(S) requests. An attacker with valid VPN user credentials can exploit this vulnerability by sending a specially crafted HTTP request, allowing an authenticated remote attacker to execute arbitrary code as root on the affected device.

【CVE-2025-20363】A critical security vulnerability (CVE-2025-20363, CVSS: 9.0) exists in the web services of Cisco Adaptive Security Appliance (ASA), Cisco Firepower Threat Defense (FTD) software, Cisco IOS software, Cisco IOS XE software, and Cisco IOS XR software. This vulnerability stems from improper validation of user input in HTTP requests. An attacker can send a specially crafted HTTP request to the web service of the affected device, allowing them to execute arbitrary code as root, potentially causing a denial of service on the affected device.

[Affected Platforms]
1. Please check the official website for the version to determine if your device is affected. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

2. Please check the official website for the version to determine if your device is affected. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O

[Recommended Actions]
Apply the patch according to the solution provided on the official website: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

[References]
1. https://www.twcert.org.tw/tw/cp-169-10411-12ff4-1.html