CVE-2025-20219 (GCVE-0-2025-20219)

Vulnerability from cvelistv5 – Published: 2025-08-14 16:28 – Updated: 2025-08-14 20:44
VLAI?
Summary
A vulnerability in the implementation of access control rules for loopback interfaces in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to send traffic that should have been blocked to a loopback interface. This vulnerability is due to improper enforcement of access control rules for loopback interfaces. An attacker could exploit this vulnerability by sending traffic to a loopback interface on an affected device. A successful exploit could allow the attacker to bypass configured access control rules and send traffic that should have been blocked to a loopback interface on the device.
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE
  • CWE-284 - Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
Cisco Cisco Adaptive Security Appliance (ASA) Software Affected: 9.18.2
Affected: 9.18.2.5
Affected: 9.18.2.7
Affected: 9.19.1
Affected: 9.18.2.8
Affected: 9.18.3
Affected: 9.19.1.5
Affected: 9.19.1.9
Affected: 9.18.3.39
Affected: 9.19.1.12
Affected: 9.18.3.46
Affected: 9.19.1.18
Affected: 9.18.3.53
Affected: 9.18.3.55
Affected: 9.18.3.56
Affected: 9.20.1
Affected: 9.19.1.22
Affected: 9.18.4
Affected: 9.20.1.5
Affected: 9.18.4.5
Affected: 9.19.1.24
Affected: 9.18.4.8
Affected: 9.20.2
Affected: 9.19.1.27
Affected: 9.18.4.22
Affected: 9.20.2.10
Affected: 9.19.1.28
Affected: 9.18.4.24
Affected: 9.20.2.21
Affected: 9.19.1.31
Affected: 9.18.4.29
Affected: 9.20.2.22
Affected: 9.18.4.34
Affected: 9.20.3
Affected: 9.18.4.40
Affected: 9.22.1.1
Affected: 9.20.3.4
Affected: 9.18.4.47
Affected: 9.20.3.7
Affected: 9.19.1.37
Affected: 9.20.3.9
Affected: 9.19.1.38
Affected: 9.18.4.50
Affected: 9.22.1.2
Create a notification for this product.
    Cisco Cisco Firepower Threat Defense Software Affected: 7.3.0
Affected: 7.3.1
Affected: 7.3.1.1
Affected: 7.4.0
Affected: 7.4.1
Affected: 7.4.1.1
Affected: 7.3.1.2
Affected: 7.6.0
Affected: 7.4.2
Affected: 7.4.2.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-20219",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-14T20:44:20.753964Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-14T20:44:27.252Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Cisco Adaptive Security Appliance (ASA) Software",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "9.18.2"
            },
            {
              "status": "affected",
              "version": "9.18.2.5"
            },
            {
              "status": "affected",
              "version": "9.18.2.7"
            },
            {
              "status": "affected",
              "version": "9.19.1"
            },
            {
              "status": "affected",
              "version": "9.18.2.8"
            },
            {
              "status": "affected",
              "version": "9.18.3"
            },
            {
              "status": "affected",
              "version": "9.19.1.5"
            },
            {
              "status": "affected",
              "version": "9.19.1.9"
            },
            {
              "status": "affected",
              "version": "9.18.3.39"
            },
            {
              "status": "affected",
              "version": "9.19.1.12"
            },
            {
              "status": "affected",
              "version": "9.18.3.46"
            },
            {
              "status": "affected",
              "version": "9.19.1.18"
            },
            {
              "status": "affected",
              "version": "9.18.3.53"
            },
            {
              "status": "affected",
              "version": "9.18.3.55"
            },
            {
              "status": "affected",
              "version": "9.18.3.56"
            },
            {
              "status": "affected",
              "version": "9.20.1"
            },
            {
              "status": "affected",
              "version": "9.19.1.22"
            },
            {
              "status": "affected",
              "version": "9.18.4"
            },
            {
              "status": "affected",
              "version": "9.20.1.5"
            },
            {
              "status": "affected",
              "version": "9.18.4.5"
            },
            {
              "status": "affected",
              "version": "9.19.1.24"
            },
            {
              "status": "affected",
              "version": "9.18.4.8"
            },
            {
              "status": "affected",
              "version": "9.20.2"
            },
            {
              "status": "affected",
              "version": "9.19.1.27"
            },
            {
              "status": "affected",
              "version": "9.18.4.22"
            },
            {
              "status": "affected",
              "version": "9.20.2.10"
            },
            {
              "status": "affected",
              "version": "9.19.1.28"
            },
            {
              "status": "affected",
              "version": "9.18.4.24"
            },
            {
              "status": "affected",
              "version": "9.20.2.21"
            },
            {
              "status": "affected",
              "version": "9.19.1.31"
            },
            {
              "status": "affected",
              "version": "9.18.4.29"
            },
            {
              "status": "affected",
              "version": "9.20.2.22"
            },
            {
              "status": "affected",
              "version": "9.18.4.34"
            },
            {
              "status": "affected",
              "version": "9.20.3"
            },
            {
              "status": "affected",
              "version": "9.18.4.40"
            },
            {
              "status": "affected",
              "version": "9.22.1.1"
            },
            {
              "status": "affected",
              "version": "9.20.3.4"
            },
            {
              "status": "affected",
              "version": "9.18.4.47"
            },
            {
              "status": "affected",
              "version": "9.20.3.7"
            },
            {
              "status": "affected",
              "version": "9.19.1.37"
            },
            {
              "status": "affected",
              "version": "9.20.3.9"
            },
            {
              "status": "affected",
              "version": "9.19.1.38"
            },
            {
              "status": "affected",
              "version": "9.18.4.50"
            },
            {
              "status": "affected",
              "version": "9.22.1.2"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Cisco Firepower Threat Defense Software",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "7.3.0"
            },
            {
              "status": "affected",
              "version": "7.3.1"
            },
            {
              "status": "affected",
              "version": "7.3.1.1"
            },
            {
              "status": "affected",
              "version": "7.4.0"
            },
            {
              "status": "affected",
              "version": "7.4.1"
            },
            {
              "status": "affected",
              "version": "7.4.1.1"
            },
            {
              "status": "affected",
              "version": "7.3.1.2"
            },
            {
              "status": "affected",
              "version": "7.6.0"
            },
            {
              "status": "affected",
              "version": "7.4.2"
            },
            {
              "status": "affected",
              "version": "7.4.2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the implementation of access control rules for loopback interfaces in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to send traffic that should have been blocked to a loopback interface.\r\n\r\nThis vulnerability is due to improper enforcement of access control rules for loopback interfaces. An attacker could exploit this vulnerability by sending traffic to a loopback interface on an affected device. A successful exploit could allow the attacker to bypass configured access control rules and send traffic\u0026nbsp;that should have been blocked to a loopback interface on the device."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "cvssV3_1"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Control",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-14T16:28:40.010Z",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "cisco-sa-asa-ftd-acl-bypass-mtPze9Yh",
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-acl-bypass-mtPze9Yh"
        }
      ],
      "source": {
        "advisory": "cisco-sa-asa-ftd-acl-bypass-mtPze9Yh",
        "defects": [
          "CSCwi57783"
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Access Control Bypass Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2025-20219",
    "datePublished": "2025-08-14T16:28:40.010Z",
    "dateReserved": "2024-10-10T19:15:13.233Z",
    "dateUpdated": "2025-08-14T20:44:27.252Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-20219\",\"sourceIdentifier\":\"psirt@cisco.com\",\"published\":\"2025-08-14T17:15:35.920\",\"lastModified\":\"2025-08-15T13:12:51.217\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the implementation of access control rules for loopback interfaces in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to send traffic that should have been blocked to a loopback interface.\\r\\n\\r\\nThis vulnerability is due to improper enforcement of access control rules for loopback interfaces. An attacker could exploit this vulnerability by sending traffic to a loopback interface on an affected device. A successful exploit could allow the attacker to bypass configured access control rules and send traffic\u0026nbsp;that should have been blocked to a loopback interface on the device.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en la implementaci\u00f3n de las reglas de control de acceso para interfaces de bucle invertido en el software Cisco Secure Firewall Adaptive Security Appliance (ASA) y el software Cisco Secure Firewall Threat Defense (FTD) podr\u00eda permitir que un atacante remoto no autenticado env\u00ede tr\u00e1fico que deber\u00eda estar bloqueado a una interfaz de bucle invertido. Esta vulnerabilidad se debe a la aplicaci\u00f3n incorrecta de las reglas de control de acceso para las interfaces de bucle invertido. Un atacante podr\u00eda explotar esta vulnerabilidad enviando tr\u00e1fico a una interfaz de bucle invertido en un dispositivo afectado. Una explotaci\u00f3n exitosa podr\u00eda permitir al atacante eludir las reglas de control de acceso configuradas y enviar tr\u00e1fico que deber\u00eda estar bloqueado a una interfaz de bucle invertido en el dispositivo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"references\":[{\"url\":\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-acl-bypass-mtPze9Yh\",\"source\":\"psirt@cisco.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-20219\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-14T20:44:20.753964Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-14T18:03:41.159Z\"}}], \"cna\": {\"title\": \"Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Access Control Bypass Vulnerability\", \"source\": {\"defects\": [\"CSCwi57783\"], \"advisory\": \"cisco-sa-asa-ftd-acl-bypass-mtPze9Yh\", \"discovery\": \"INTERNAL\"}, \"metrics\": [{\"format\": \"cvssV3_1\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Cisco\", \"product\": \"Cisco Adaptive Security Appliance (ASA) Software\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.18.2\"}, {\"status\": \"affected\", \"version\": \"9.18.2.5\"}, {\"status\": \"affected\", \"version\": \"9.18.2.7\"}, {\"status\": \"affected\", \"version\": \"9.19.1\"}, {\"status\": \"affected\", \"version\": \"9.18.2.8\"}, {\"status\": \"affected\", \"version\": \"9.18.3\"}, {\"status\": \"affected\", \"version\": \"9.19.1.5\"}, {\"status\": \"affected\", \"version\": \"9.19.1.9\"}, {\"status\": \"affected\", \"version\": \"9.18.3.39\"}, {\"status\": \"affected\", \"version\": \"9.19.1.12\"}, {\"status\": \"affected\", \"version\": \"9.18.3.46\"}, {\"status\": \"affected\", \"version\": \"9.19.1.18\"}, {\"status\": \"affected\", \"version\": \"9.18.3.53\"}, {\"status\": \"affected\", \"version\": \"9.18.3.55\"}, {\"status\": \"affected\", \"version\": \"9.18.3.56\"}, {\"status\": \"affected\", \"version\": \"9.20.1\"}, {\"status\": \"affected\", \"version\": \"9.19.1.22\"}, {\"status\": \"affected\", \"version\": \"9.18.4\"}, {\"status\": \"affected\", \"version\": \"9.20.1.5\"}, {\"status\": \"affected\", \"version\": \"9.18.4.5\"}, {\"status\": \"affected\", \"version\": \"9.19.1.24\"}, {\"status\": \"affected\", \"version\": \"9.18.4.8\"}, {\"status\": \"affected\", \"version\": \"9.20.2\"}, {\"status\": \"affected\", \"version\": \"9.19.1.27\"}, {\"status\": \"affected\", \"version\": \"9.18.4.22\"}, {\"status\": \"affected\", \"version\": \"9.20.2.10\"}, {\"status\": \"affected\", \"version\": \"9.19.1.28\"}, {\"status\": \"affected\", \"version\": \"9.18.4.24\"}, {\"status\": \"affected\", \"version\": \"9.20.2.21\"}, {\"status\": \"affected\", \"version\": \"9.19.1.31\"}, {\"status\": \"affected\", \"version\": \"9.18.4.29\"}, {\"status\": \"affected\", \"version\": \"9.20.2.22\"}, {\"status\": \"affected\", \"version\": \"9.18.4.34\"}, {\"status\": \"affected\", \"version\": \"9.20.3\"}, {\"status\": \"affected\", \"version\": \"9.18.4.40\"}, {\"status\": \"affected\", \"version\": \"9.22.1.1\"}, {\"status\": \"affected\", \"version\": \"9.20.3.4\"}, {\"status\": \"affected\", \"version\": \"9.18.4.47\"}, {\"status\": \"affected\", \"version\": \"9.20.3.7\"}, {\"status\": \"affected\", \"version\": \"9.19.1.37\"}, {\"status\": \"affected\", \"version\": \"9.20.3.9\"}, {\"status\": \"affected\", \"version\": \"9.19.1.38\"}, {\"status\": \"affected\", \"version\": \"9.18.4.50\"}, {\"status\": \"affected\", \"version\": \"9.22.1.2\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"Cisco\", \"product\": \"Cisco Firepower Threat Defense Software\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.3.0\"}, {\"status\": \"affected\", \"version\": \"7.3.1\"}, {\"status\": \"affected\", \"version\": \"7.3.1.1\"}, {\"status\": \"affected\", \"version\": \"7.4.0\"}, {\"status\": \"affected\", \"version\": \"7.4.1\"}, {\"status\": \"affected\", \"version\": \"7.4.1.1\"}, {\"status\": \"affected\", \"version\": \"7.3.1.2\"}, {\"status\": \"affected\", \"version\": \"7.6.0\"}, {\"status\": \"affected\", \"version\": \"7.4.2\"}, {\"status\": \"affected\", \"version\": \"7.4.2.1\"}], \"defaultStatus\": \"unknown\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.\"}], \"references\": [{\"url\": \"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-acl-bypass-mtPze9Yh\", \"name\": \"cisco-sa-asa-ftd-acl-bypass-mtPze9Yh\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in the implementation of access control rules for loopback interfaces in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to send traffic that should have been blocked to a loopback interface.\\r\\n\\r\\nThis vulnerability is due to improper enforcement of access control rules for loopback interfaces. An attacker could exploit this vulnerability by sending traffic to a loopback interface on an affected device. A successful exploit could allow the attacker to bypass configured access control rules and send traffic\u0026nbsp;that should have been blocked to a loopback interface on the device.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"cwe\", \"cweId\": \"CWE-284\", \"description\": \"Improper Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"shortName\": \"cisco\", \"dateUpdated\": \"2025-08-14T16:28:40.010Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-20219\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-14T20:44:27.252Z\", \"dateReserved\": \"2024-10-10T19:15:13.233Z\", \"assignerOrgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"datePublished\": \"2025-08-14T16:28:40.010Z\", \"assignerShortName\": \"cisco\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.