CVE-2025-20334
BaseFortify
Publication date: 2025-09-24
Last updated on: 2025-09-24
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | ios_xe | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the HTTP API subsystem of Cisco IOS XE Software and allows a remote attacker to inject commands that execute with root privileges on the underlying operating system. It is caused by insufficient input validation. An attacker with administrative privileges can exploit it by making a crafted API call, or an unauthenticated attacker can trick a logged-in administrator into clicking a malicious link, leading to arbitrary command execution as root.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to an attacker gaining root-level control over the affected system. This means the attacker can execute arbitrary commands with the highest privileges, potentially compromising the entire system, disrupting services, stealing data, or causing other severe impacts.