Main Vulnerability Database Vulnerabilities #VU103669

#VU103669 OS Command Injection in Cisco AsyncOS for Secure Email Gateway and Cisco AsyncOS for Secure Web Appliance - CVE-2025-20184

Published: February 6, 2025

Vulnerability identifier: #VU103669

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-20184

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Cisco AsyncOS for Secure Email Gateway
Cisco AsyncOS for Secure Web Appliance

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of XML configuration files within the web-based management interface. A remote uadministrator can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-multi-yKUJhS34

#VU103669 OS Command Injection in Cisco AsyncOS for Secure Email Gateway and Cisco AsyncOS for Secure Web Appliance - CVE-2025-20184

Description

Remediation

External links

Please verify you're human