CVE-2025-20314Improper Handling of Undefined Values in Cisco IOS XE Software

CWE-232Improper Handling of Undefined ValuesCWE-35Path Traversal: '.../...//'4 documents4 sources
Severity
6.7MEDIUMNVD
EPSS
0.1%
top 75.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cisco IOS XE Software
Timeline
PublishedSep 24

Description

A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute persistent code at boot time and break the chain of trust. This vulnerability is due to improper validation of software packages. An attacker could exploit this vulnerability by placing a crafted file into a specific location on an affected device. A successful exploit could allow the attacker to execut

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages1 packages

CVEListV5cisco/cisco_ios_xe_software119 versions+118

🔴Vulnerability Details

2
GHSA
GHSA-wpmf-xfg7-q3gp: A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with phy2025-09-24
CVEList
CVE-2025-20314: A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with phy2025-09-24

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Secure Boot Bypass Vulnerabilities2025-09-24
CVE-2025-20314 — Improper Handling of Undefined Values | cvebase