CVE-2025-20363

Sept. 26, 2025, 2:07 p.m.

9.0
Critical

Description

A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device. For more information about this vulnerability, see the Details ["#details"] section of this advisory.

Product(s) Impacted

Vendor Product Versions
Cisco
  • Secure Firewall Adaptive Security Appliance
  • Secure Firewall Threat Defense
  • Ios
  • Ios Xe
  • Ios Xr
  • *
  • *
  • *
  • *
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-122
Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a cisco secure_firewall_adaptive_security_appliance / / / / / / / /
a cisco secure_firewall_threat_defense / / / / / / / /
a cisco ios / / / / / / / /
a cisco ios_xe / / / / / / / /
a cisco ios_xr / / / / / / / /

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O

Tags

CWE-122
psirt@cisco.com
2025-09-25
CVE-2025-20363

CVSS Score

9.0 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: Sept. 25, 2025, 4:15 p.m.
Last Modified: Sept. 26, 2025, 2:07 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

psirt@cisco.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.