Analysis updated 2026-05-18
Check if Cisco ASA or FTD devices you manage are exposed to CVE-2025-20333.
Run a safe, non-destructive reachability check before deciding to patch or investigate further.
Use as a starting point in a security assessment of Cisco WebVPN endpoints you are authorized to test.
| curtishoughton/cisco-asa-cve-2025-20333-scanner | 0xhassaan/nn-from-scratch | 3ks/embedoc | |
|---|---|---|---|
| Stars | 0 | 0 | — |
| Language | Python | Python | Python |
| Last pushed | — | — | 2023-06-08 |
| Maintenance | — | — | Dormant |
| Setup difficulty | easy | moderate | hard |
| Complexity | 2/5 | 4/5 | 1/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
For use only against systems you are authorized to test.
This is a Python tool designed to help security professionals check whether a specific critical vulnerability exists on Cisco network devices they are authorized to test. The vulnerability, CVE-2025-20333, is a heap based buffer overflow in the WebVPN file upload handler found in Cisco Secure ASA and Cisco Secure FTD devices. A buffer overflow is a type of memory corruption flaw that happens when a program writes more data into a memory region than it can hold, and in severe cases this lets an attacker run their own code on the affected machine. Here, the potential impact is remote code execution as root, meaning a successful attacker could take full control of the device. The severity is rated 9.9 on the CVSS scale, placing it in the critical category. The scanner works by sending safe, read only GET requests to the WebVPN endpoints associated with this vulnerability. It does not attempt any actual exploitation, it only checks whether vulnerable endpoints are reachable and reports clear indicators of potential exposure. It also tests common path traversal and normalization bypass patterns, which are techniques that probe whether a server can be tricked into serving restricted paths. Results appear with colored console output for easy reading. You would use this tool if you are a security researcher, penetration tester, or system administrator responsible for Cisco ASA or FTD devices with WebVPN or AnyConnect enabled. It is explicitly built for authorized testing only, takes the target URL as a command line argument, and is written in Python.
A Python scanner that safely checks if Cisco ASA or FTD devices are exposed to the critical CVE-2025-20333 buffer overflow flaw.
Mainly Python. The stack also includes Python.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.