Cisco released an advisory describing a high-severity vulnerability (CVE-2025-20160) in its IOS and IOS XE platforms. The flaw stems from improper validation of the TACACS+ shared secret configuration.
When TACACS+ is enabled but no secret is set, remote attackers or machine-in-the-middle adversaries can intercept or manipulate authentication messages.
Successful exploitation grants unauthorized access to confidential information or full device control.
Overview of the Vulnerability
The vulnerability exists because the software fails to verify that a TACACS+ shared secret has been configured before processing authentication requests.
An attacker on the network path can either read unencrypted TACACS+ messages or impersonate the TACACS+ server.
| CVE | Affected Products | CVSS 3.1 Score |
| CVE-2025-20160 | Cisco IOS and IOS XE Software with TACACS+ configured without a shared secret | 8.1 (High) |
By sending crafted responses, the attacker can bypass authentication checks altogether. This allows full administrative access to routers and switches running vulnerable IOS or IOS XE releases, exposing configuration data, credentials, and other sensitive information.
Any Cisco device running a vulnerable IOS or IOS XE release and configured for TACACS+ without a shared secret is at risk.
Impact ranges from unauthorized disclosure of TACACS+ payloads to complete authentication bypass, granting full administrative privileges.
Cisco has not observed any public exploits or malicious activity targeting this issue to date.
Cisco strongly urges all customers to apply the provided software updates immediately. Fixed releases are listed in the advisory’s “Fixed Software” section.
As a temporary measure, administrators must ensure every TACACS+ server configured on a device has a valid shared secret.
Use the show running-config | include tacacs server|key command to verify that no TACACS+ server entry is missing its key line.
After confirming proper key configuration, plan an upgrade to a fixed IOS or IOS XE version at the earliest opportunity.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Source link
