Cyber Resilience

CVE-2025-20363

Critical

Published: 25 September 2025

Published
25 September 2025
Modified
10 February 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0644 91.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20363 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Cisco Ios Xr. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability stemming from improper validation of user-supplied input in HTTP requests affects the web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software. The flaw, tracked as CVE-2025-20363 with a CVSS score of 9.0, resides in CWE-122 and permits remote code execution when successfully triggered.

An unauthenticated remote attacker can target ASA and FTD instances, while an authenticated remote attacker with low privileges can target the IOS family products. Exploitation requires sending crafted HTTP requests after first gathering system information or bypassing mitigations, ultimately allowing arbitrary code execution as root and full device compromise.

The official Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O provides further details on mitigation steps and patches. The associated EPSS score has remained flat at a peak of 0.0644 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker…

more

(Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device. For more information about this vulnerability, see the Details ["#details"] section of this advisory.

CWE(s)

Related Threats

Threat-Actor AttributionAI

ArcaneDoor (C0046)
ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via crafted HTTP requests to exposed web services on public-facing Cisco devices (unauth for ASA/FTD, low-priv auth for IOS variants).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20362Same product: Cisco Adaptive Security Appliance Software
CVE-2025-20333Same product: Cisco Adaptive Security Appliance Software
CVE-2025-20352Same product: Cisco Ios
CVE-2025-20337Same vendor: Cisco
CVE-2026-20127Same vendor: Cisco
CVE-2025-20172Same product: Cisco Ios
CVE-2026-20131Same vendor: Cisco
CVE-2026-20129Same vendor: Cisco
CVE-2025-20393Same vendor: Cisco
CVE-2026-20103Same product: Cisco Adaptive Security Appliance Software

Affected Assets

cisco
ios xr
6.5.1, 6.5.2, 6.5.3, 6.6.2, 6.6.25
cisco
adaptive security appliance software
9.12 — 9.12.4.72 · 9.14 — 9.14.4.28 · 9.16 — 9.16.4.84
cisco
ios
12.2\(15\)b — 15.9\(3\)m11
cisco
ios xe
3.2.0sg — 17.17.1
cisco
firepower threat defense
7.6.0 · 7.0.0 — 7.0.8 · 7.1.0 — 7.2.10 · 7.3.0 — 7.4.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the root cause of improper validation of user-supplied input in HTTP requests to prevent arbitrary code execution.

prevent

Remediates the specific flaw in web services through timely identification, testing, and application of vendor patches.

prevent

Implements memory safeguards like ASLR and DEP to mitigate exploitation attempts leading to unauthorized code execution as root.

References