CVE-2026-20125
Improper Input Validation in Cisco IOS HTTP Server Causes DoS
Publication date: 2026-03-25
Last updated on: 2026-03-25
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | ios_software | 3e |
| cisco | ios_xe_software | 3e |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-228 | The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your device, you should verify if the HTTP Server feature is enabled and if the WEB_EXEC module is active.
- Run the command `show running-config | include ip http server|secure` to check if the HTTP Server is enabled. The presence of `ip http server` or `ip http secure-server` indicates it is enabled.
- Run the command `show ip http server session-module | include Status|WEB_EXEC` to verify if the WEB_EXEC module is active. If the Status (for HTTP) or Secure-status (for HTTPS) of WEB_EXEC is "Active," the device is vulnerable.
Devices with only HTTPS enabled and WEB_EXEC inactive are not vulnerable.
Can you explain this vulnerability to me?
This vulnerability exists in the HTTP Server feature of Cisco IOS and Cisco IOS XE Software Release 3E. It allows an authenticated remote attacker to cause the affected device to reload unexpectedly, leading to a denial of service (DoS) condition.
The root cause is improper validation of user-supplied input. An attacker can exploit this by sending malformed HTTP requests to the device. If successful, this triggers a watchdog timer expiration, causing the device to reload.
To exploit this vulnerability, the attacker must have a valid user account on the device.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition. An attacker with valid credentials can cause the affected device to reload unexpectedly, disrupting network operations and potentially causing downtime.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that only trusted and authenticated users have access to the affected Cisco IOS and IOS XE devices, as exploitation requires valid user credentials.
Additionally, monitor for malformed HTTP requests that could trigger the vulnerability and consider applying any available software updates or patches from Cisco that address this issue.