CVE-2025-20313
BaseFortify
Publication date: 2025-09-24
Last updated on: 2025-09-26
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | ios_xe | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-35 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves multiple issues in Cisco IOS XE Software that could allow an authenticated local attacker with high-level privileges or an unauthenticated attacker with physical access to execute persistent code at boot time. The root causes are path traversal and improper image integrity validation, which enable the attacker to break the chain of trust and run persistent malicious code on the device's operating system.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute persistent code on the device's operating system, effectively bypassing major security features. This could lead to unauthorized control over the device, compromise of its integrity, confidentiality, and availability, and potentially allow further attacks within the network.