CVE-2025-20184

MEDIUM

Cisco AsyncOS Software - Command Injection

Title source: llm

Description

A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Web Appliance could allow an authenticated, remote attacker to perform command injection attacks against an affected device. The attacker must authenticate with valid administrator credentials. This vulnerability is due to insufficient validation of XML configuration files by an affected device. An attacker could exploit this vulnerability by uploading a crafted XML configuration file. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.

References (1)

Core 1

Core References

Vendor Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-multi-yKUJhS34

Scores

CVSS v3 6.5

EPSS 0.0008

EPSS Percentile 23.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20 CWE-77

Status published

Products (50)

cisco/asyncos 13.0.0-392

cisco/asyncos 13.0.5-007

cisco/asyncos 13.5.1-277

cisco/asyncos 13.5.4-038

cisco/asyncos 14.0.0-698

cisco/asyncos 14.2.0-620

cisco/asyncos 14.2.1-020

cisco/asyncos 14.3.0-032

cisco/asyncos 15.0.0-104

cisco/asyncos 15.0.1-030

... and 40 more

Published Feb 05, 2025

Tracked Since Feb 18, 2026