CVE-2025-20363
Published: 25 September 2025
Summary
CVE-2025-20363 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Cisco Ios Xr. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the root cause of improper validation of user-supplied input in HTTP requests to prevent arbitrary code execution.
Remediates the specific flaw in web services through timely identification, testing, and application of vendor patches.
Implements memory safeguards like ASLR and DEP to mitigate exploitation attempts leading to unauthorized code execution as root.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via crafted HTTP requests to exposed web services on public-facing Cisco devices (unauth for ASA/FTD, low-priv auth for IOS variants).
NVD Description
A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker…
more
(Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device. For more information about this vulnerability, see the Details ["#details"] section of this advisory.
Deeper analysisAI
CVE-2025-20363 is a vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software. It stems from improper validation of user-supplied input in HTTP requests, classified under CWE-122, and carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). The issue was published on 2025-09-25.
An unauthenticated, remote attacker can exploit the vulnerability in Cisco ASA and FTD Software, while an authenticated, remote attacker with low user privileges can target Cisco IOS, IOS XE, and IOS XR Software. Exploitation involves sending crafted HTTP requests to a targeted web service on an affected device, potentially after obtaining additional system information or overcoming exploit mitigations. Successful exploitation allows the attacker to execute arbitrary code as root, leading to complete compromise of the affected device.
The Cisco Security Advisory provides further details on this vulnerability, including information in the Details section, and is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O.
Details
- CWE(s)