CVE-2025-20363

Name of the Vulnerable Software and Affected Versions Cisco Secure Firewall Adaptive Security Appliance (ASA) Software Cisco Secure Firewall Threat Defense (FTD) Software Cisco IOS Software Cisco IOS XE Software Cisco IOS XR Software

Description A flaw exists in the web services of the listed Cisco products that could allow a remote attacker to execute arbitrary code on an affected device. For Cisco ASA and FTD Software, the attacker does not need to be authenticated. For Cisco IOS, IOS XE, and IOS XR Software, the attacker needs to be authenticated with low user privileges. This issue stems from improper validation of user-supplied input in HTTP requests. An attacker could exploit this by sending crafted HTTP requests to a targeted web service, potentially gaining root access and completely compromising the device. Reports indicate that this vulnerability (CVE-2025-20363) is actively being exploited in attacks by a threat actor known as ArcaneDoor, potentially linked to a Chinese hacking group, deploying malware such as RayInitiator and LINE VIPER. The vulnerability is a heap buffer overflow in the dynamic memory of the affected products.

Recommendations Apply the security patch available in ASA 9.12 and 9.14. Update Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software to a fixed version. Update Cisco IOS Software to a fixed version. Update Cisco IOS XE Software to a fixed version. Update Cisco IOS XR Software to a fixed version.