CVE-2025-20238
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-08-15
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | secure_firewall_asa | * |
| cisco | secure_firewall_ftd | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1244 | The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Cisco Secure Firewall ASA and FTD Software, where an authenticated local attacker with administrative credentials can execute arbitrary commands on the underlying operating system with root-level privileges. It is caused by insufficient input validation of user-supplied commands, allowing crafted inputs to be executed as root.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker with administrative access to execute any command on the device's operating system as root, potentially leading to full control over the device, unauthorized access to sensitive data, disruption of network security functions, and further compromise of the network environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that only trusted administrators have access to the Cisco Secure Firewall ASA and FTD devices, as exploitation requires valid administrative credentials. Limit administrative access and monitor for any unusual command executions. Apply any available patches or updates from Cisco once released to address the insufficient input validation issue.