Cisco warns of a Critical remote code execution flaw in web services across multiple Cisco platforms. Tracked as CVE-2025-20363 (CWE-122), this vulnerability carries a CVSS 3.1 Base Score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) and impacts ASA, FTD, IOS, IOS XE, and IOS XR Software.
Cisco Input Validation Flaw (CVE-2025-20363)
The flaw stems from improper validation of user-supplied input in HTTP requests. Attackers can craft malicious HTTP packets to bypass exploit mitigations and execute arbitrary shell commands as root.
For Cisco Secure Firewall ASA and FTD, no authentication is required; for IOS, IOS XE, and IOS XR, only low-privileged authenticated access is needed.
Affected services listen on SSL or HTTP ports when features such as webvpn, AnyConnect SSL VPN, or the HTTP server are enabled. Example CLI checks:
Successful exploitation yields a root shell, potentially leading to full device compromise.
Cisco acknowledges Keane O’Kelley of Cisco ASIG for discovering the defect. Coordination with ASD, CSE, NCSC, and CISA contributed to the advisory.
All ASA Series (5500-X, ASAv, Firepower 1000/2100/4100/9000, Secure Firewall 1200/3100/4200), FTD platforms, IOS routers with SSL VPN, IOS XE routers, and ASR 9001 running 32-bit IOS XR with HTTP enabled are vulnerable.
No workarounds exist. Customers must upgrade to fixed releases immediately. The advisory provides detailed fixed versions per platform under the Fixed Software section.
| Risk Factors | Details |
| Affected Products | Cisco Secure Firewall ASA & FTD Software, Cisco IOS Software & IOS XE Software, Cisco IOS XR Software (32-bit on ASR 9001 with HTTP server enabled) |
| Impact | Remote unauthenticated code execution as root |
| Exploit Prerequisites | SSL VPN (webvpn) or AnyConnect SSL VPN enabled |
| CVSS 3.1 Score | 9.0 (Critical) |
Cisco recommends using the Cisco Software Checker to identify vulnerable releases and the earliest patches. Administrators should audit device configurations to confirm SSL VPN or HTTP server status.
For ASA/FTD, verify webvpn or AnyConnect SSL VPN settings; for IOS XR, ensure run uname -s returns Linux or disable HTTP via no http server. Cisco PSIRT confirms no active exploitation in the wild.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
Source link
