CVE-2025-20363
Published: 25 September 2025
Summary
CVE-2025-20363 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Cisco Ios Xr. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability stemming from improper validation of user-supplied input in HTTP requests affects the web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software. The flaw, tracked as CVE-2025-20363 with a CVSS score of 9.0, resides in CWE-122 and permits remote code execution when successfully triggered.
An unauthenticated remote attacker can target ASA and FTD instances, while an authenticated remote attacker with low privileges can target the IOS family products. Exploitation requires sending crafted HTTP requests after first gathering system information or bypassing mitigations, ultimately allowing arbitrary code execution as root and full device compromise.
The official Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O provides further details on mitigation steps and patches. The associated EPSS score has remained flat at a peak of 0.0644 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31138
Vulnerability details
A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker…
more
(Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device. For more information about this vulnerability, see the Details ["#details"] section of this advisory.
- CWE(s)
Related Threats
Threat-Actor AttributionAI
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via crafted HTTP requests to exposed web services on public-facing Cisco devices (unauth for ASA/FTD, low-priv auth for IOS variants).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause of improper validation of user-supplied input in HTTP requests to prevent arbitrary code execution.
Remediates the specific flaw in web services through timely identification, testing, and application of vendor patches.
Implements memory safeguards like ASLR and DEP to mitigate exploitation attempts leading to unauthorized code execution as root.