CVE-2025-20138
Published: 12 March 2025
Summary
CVE-2025-20138 is a high-severity OS Command Injection (CWE-78) vulnerability in Cisco Ios Xr. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates information input validation at CLI entry points, directly countering the insufficient validation of user arguments that enables OS command injection and privilege escalation.
SI-2 requires timely flaw remediation, such as applying vendor patches for this specific CLI vulnerability to prevent exploitation.
AC-6 enforces least privilege, restricting low-privileged accounts' access to vulnerable CLI commands and limiting potential damage from escalation attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables local authenticated command injection in network device CLI leading to root-level arbitrary command execution, directly mapping to exploitation for privilege escalation and abuse of network device CLI.
NVD Description
A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user…
more
arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root and execute arbitrary commands.
Deeper analysisAI
CVE-2025-20138 is a vulnerability in the Command-Line Interface (CLI) of Cisco IOS XR Software. The issue arises from insufficient validation of user arguments passed to specific CLI commands, which could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of affected devices. Published on 2025-03-12, it is classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An attacker requires a low-privileged account and local access to the device to exploit this vulnerability by entering crafted commands at the CLI prompt. Successful exploitation enables privilege escalation to root, allowing the execution of arbitrary commands on the operating system with full administrative control, potentially compromising confidentiality, integrity, and availability.
Mitigation details are available in the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-priv-esc-GFQjxvOF. An additional reference is provided at https://blog.apnic.net/2024/09/02/crafting-endless-as-paths-in-bgp/.
Details
- CWE(s)