Cisco published Security Advisory cisco-sa-http-code-exec-WmfP3h3O revealing a severe flaw in multiple Cisco platforms that handle HTTP-based management.
Tracked as CVE-2025-20363, this vulnerability stems from improper validation of user-supplied input in HTTP requests.
| CVE | Affected Products | Impact | CVSS 3.1 Score |
| CVE-2025-20363 | Secure Firewall ASA & FTD with SSL VPN or MUS enabled; IOS/IOS XE with Remote Access SSL VPN; IOS XR (32-bit) on ASR-9001 with HTTP server enabled | Full root code execution, total device compromise | 9.0 |
An attacker who crafts malicious HTTP traffic can trigger arbitrary code execution as the root user, resulting in a total device compromise.
The flaw affects:
- Cisco Secure Firewall ASA and Secure Firewall Threat Defense (FTD) Software
- Cisco IOS, IOS XE, and IOS XR Software
For ASA and FTD devices, no authentication is required. An unauthenticated attacker can send specially crafted requests directly to intercepted SSL-enabled web services, bypassing exploit mitigations after gathering system information.
On IOS, IOS XE, and IOS XR platforms, a low-privileged authenticated user can exploit the same weakness in HTTP services to gain root access.
Cisco rates the impact as Critical with a CVSS 3.1 base score of 9.0, reflecting complete confidentiality, integrity, and availability loss via network-based attack with no user interaction.
There are no available workarounds; only software updates fully resolve the issue. Affected configurations span multiple product lines and features:
Cisco’s advisory lists the bug IDs CSCwo18850, CSCwo35704, and CSCwo35779, among others, for tracking platform-specific reports.
Customers must verify their device configurations such as the presence of webvpn or crypto ssl policy settings on ASA/FTD and IOS/XE, or http server on IOS XR and upgrade to the first fixed releases provided in the advisory.
To determine exposure and obtain fixed releases, Cisco offers the Software Checker tool. Users can select this advisory to identify vulnerable versions and the earliest patched software.
For ASA and FTD, fixed releases appear in the advisory’s “Fixed Software” section; for IOS and IOS XE, similar information is available via the Software Checker.
IOS XR users on 32-bit ASR 9001 platforms must contact Cisco TAC for SMUs.No public exploits or attacks leveraging CVE-2025-20363 have been observed.
The flaw was discovered by Keane O’Kelley of Cisco’s Advanced Security Initiatives Group during a TAC support case. Cisco PSIRT credits several national cybersecurity centers for supporting the investigation.
Cisco strongly recommends:
- Immediately apply the fixed software releases for all affected firewalls and routers.
- Use the Cisco Software Checker to confirm platform exposure.
- Contact Cisco TAC for assistance if you cannot upgrade directly or lack a valid service contract.
Failure to remediate exposes critical network infrastructure to total compromise by remote adversaries. Ensure rapid deployment of patches to maintain security of Cisco firewall and routing platforms.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
