OS Command Injection in Cisco AsyncOS for Secure Email Gateway and Cisco AsyncOS for Secure Web Appliance - CVE-2025-20184
Published: February 6, 2025
Vulnerability identifier: #VU103669
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-20184
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Cisco AsyncOS for Secure Email Gateway
Cisco AsyncOS for Secure Web Appliance
Cisco AsyncOS for Secure Email Gateway
Cisco AsyncOS for Secure Web Appliance
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient validation of XML configuration files within the web-based management interface. A remote uadministrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2025-20184
Install updates from vendor's website.