WebVPN

WebVPN is Cisco's branded clientless remote-access offering on ASA and Firepower appliances. Unlike traditional VPN clients that require software installation on the user's laptop, WebVPN runs through a web browser, making it the entry point for users who cannot install client software or who use highly restricted devices. The technology has been part of the Cisco adaptive security appliance ecosystem since ~2005-era releases, making it a fixture in enterprise perimeter design for 20 years.

On 23 April 2026, CISA and NCSC disclosed that UAT-4356 exploited WebVPN authentication logic to trigger the FIRESTARTER implant already resident on the device . The attack chain begins with CVE-2025-20333, a Remote Code Execution flaw in WebVPN authentication handling, followed by CVE-2025-20362, a privilege-escalation vulnerability. An unnamed federal agency patched both vulnerabilities in September 2025 but remained compromised six months later , because FIRESTARTER had already hooked the device boot sequence before the patches deployed. WebVPN's accessibility (no client software required) makes it the primary ingress point for remote-access compromises, and the FIRESTARTER advisory treats it as an attack surface that persists through patching.