CVE-2025-20334Command Injection in Cisco IOS XE Software

CWE-77Command InjectionCWE-674Uncontrolled Recursion5 documents5 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 80.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cisco IOS XE Software
Timeline
PublishedSep 24

Description

A vulnerability in the HTTP API subsystem of Cisco IOS XE Software could allow a remote attacker to inject commands that will execute with root privileges into the underlying operating system. This vulnerability is due to insufficient input validation. An attacker with administrative privileges could exploit this vulnerability by authenticating to an affected system and performing an API call with crafted input. Alternatively, an unauthenticated attacker could persuade a legitimate user with adm

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

CVEListV5cisco/cisco_ios_xe_software38 versions+37

🔴Vulnerability Details

2
CVEList
CVE-2025-20334: A vulnerability in the HTTP API subsystem of Cisco IOS XE Software could allow a remote attacker to inject commands that will execute with root privil2025-09-24
GHSA
GHSA-gm2m-9c24-v5ff: A vulnerability in the HTTP API subsystem of Cisco IOS XE Software could allow a remote attacker to inject commands that will execute with root privil2025-09-24

📋Vendor Advisories

2
Cisco
Cisco IOS XE Software HTTP API Command Injection Vulnerability2025-09-24
Microsoft
In Netwide Assembler (NASM) 2.14.02, stack consumption occurs in expr# functions in asm/eval.c. This potentially affects the relationships among expr0, expr1, expr2, expr3, expr4, expr5, and expr6 (an2020-01-14
CVE-2025-20334 — Command Injection in Cisco | cvebase