cbcvebase.
CVE-2025-20334
published 2025-09-24

CVE-2025-20334: A vulnerability in the HTTP API subsystem of Cisco IOS XE Software could allow a remote attacker to inject commands that will execute with root privileges into…

PriorityP264high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.47%
37.0th percentile
A vulnerability in the HTTP API subsystem of Cisco IOS XE Software could allow a remote attacker to inject commands that will execute with root privileges into the underlying operating system. This vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by authenticating to an affected system and performing an API call with crafted input. Alternatively, an unauthenticated attacker could persuade a legitimate user with administrative privileges who is currently logged in to the system to click a crafted link. A successful exploit could allow the attacker to execute arbitrary commands as the root user.

Affected

41 ranges· showing 25
VendorProductVersion rangeFixed in
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software
ciscocisco_ios_xe_software

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit vector is an authenticated HTTP API call with crafted/malicious input to a Cisco IOS XE device; monitor for anomalous or unexpected API calls from administrative sessions
  • Secondary attack vector is CSRF-style: an unauthenticated attacker delivers a crafted link to a logged-in admin; monitor for outbound HTTP requests from admin browsers to IOS XE management interfaces originating from unexpected referrers
  • Successful exploitation results in arbitrary OS command execution as root; alert on unexpected root-level process spawning from the IOS XE HTTP API daemon (e.g. web server child processes launching shells)
  • Track Cisco bug ID CSCwn48408 for vendor patch and detection guidance updates
  • ·Exploitation requires the HTTP API subsystem to be enabled and reachable; restrict management-plane access (HTTP/HTTPS) to trusted hosts only to reduce attack surface
  • ·There are no workarounds available; patching to a fixed software release is the only remediation

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vendor_cisco8.8HIGH
vendor_msrc5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.