Cisco IOS XE Software HTTP API Command Injection (cisco-sa-ios-xe-cmd-inject-rPJM8BGL)

🗓️ 28 Oct 2025 00:00:00Reported by TenableType

Cisco IOS XE vulnerability lets root commands run via crafted input by authenticated admins or tricked users.

Reporter	Title	Published	Views	Family All 11
Circl	CVE-2025-20334	24 Sep 202516:58	–	circl
Cisco	Cisco IOS XE Software HTTP API Command Injection Vulnerability	24 Sep 202516:00	–	cisco
CNNVD	Cisco IOS XE 命令注入漏洞	24 Sep 202500:00	–	cnnvd
CVE	CVE-2025-20334	24 Sep 202517:07	–	cve
Cvelist	CVE-2025-20334	24 Sep 202517:07	–	cvelist
EUVD	EUVD-2025-31037	3 Oct 202520:07	–	euvd
NCSC	Vulnerabilities fixed in Cisco IOS and Cisco IOS XE Software	25 Sep 202510:42	–	ncsc
NVD	CVE-2025-20334	24 Sep 202517:15	–	nvd
Positive Technologies	PT-2025-39305	24 Sep 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-20334	25 Sep 202517:47	–	redhatcve

Source	Link
nessus	www.nessus.org/u
nessus	www.nessus.org/u
bst	www.bst.cloudapps.cisco.com/bugsearch/bug/CSCwn48408
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#TRUSTED 286fa733016958ef71f3563e98b75f9e3f04ce56da1688ef13321d0be40af87ddb9a9b439872da943a73e58c35c016e88f1536798a474f89a41a5b8c14415d84720f79be522bc673c53710cc15133df5a2c5a5e1f8139ab7969daa30842a619fcb4021dc0911b28c52710ceace70a28dd210d82122c57c1961d6a8bfc1fc92e2d95baf77c8138ba82796cb1cbae49ce75d31fbd024c79fa433df23a9e58670ccc935a1d744c2ea822b727ca984f25e53acfa7be9f706b9d5c825314230036daca6cd37c2f0e0ebff01422ff92671aacaf8431846e8151f5c61ca524d45d50cfdf39cb60e13e246c26a751e0c34b4c97714cdf50342854dfaab956cbbf21dc2861858ac2131df9afbcdca59b7ac4a92983d6bdd5716fb8f88fc1608624e2e8dc786857f2024f00c53783f188cf31f259f67a62cae85112fa381f770ebb88e3b81fb15218ece2cec008249b7674303b70592d002292bd9989a688c3587ac8caf570c7f9c19fc34bd4ffe424c40c2fddb1f7cb54762c52c8c225569a50bb74b1207969111f3d9fe428363a61c4af4e60a0e56f3de398ac6f44fc6dfeee17e796dbe91d593822f27d23f6ca63f6186e551272f2d29e3a1be10532c9ecc6a715daf6e9a61fd8313eb655320371bdf404429f9150fb1c2be25a89bc246a8f2161fdb6d666aadef2b6693de9417ea00aeb0a6f458567c1b8053bd7fb240cb6e88d85db0
#TRUST-RSA-SHA256 79bc411ff429d9447c9f99edd3974461b1e43d004156eacc2f88904f664d8cdb251eee24d2eef809f46ec50772e784ef9bbd634341b718b1bb101e858bd683132a9abe94aaf3ed1bd4e2b6b0f9916515a175f04f0134a475d0b840e850027ff37a0dbc8b883b4847da083e569b10d8f06f1d50f2dfd6e9d474f51eb29ef6de14e6aa6a507be3f59b97ae3c1c5a985b670d2f4ac655d2b4edccb2bc39d36d638536c01d2be039210958ff6f87ddbf662465b628c78b994d4f3f0df094ee7e4481191dadb79a62c1e414597610197db8856be828051bb7fe362c158ff3a8703d28657fe0f1169e4528c9170532ac1df994d777799e2b3ec7d77a763c685bd594a58d0f5c7fb61f1bae80f98d099fc65ce6223fde81e1da80d6d43b6f3f5019898c484dcda7f85527f003d38a3d288a9bc081d8117e45b7a6e84e477be315ecf0f50b85c309aaaf14fc59f3f94fe4e970994036c2888134bfe88806a1fce91cbc162afe690b8db4d7d45d1ba3e8a624f1840f09e0b8cf204644387553f6855f94be8d16684ee1693d09e5b1b8a6b7b5498b477fc9149e2e9187e2ffd6f870744cd579a684c6e183bd52284dd52e56c08ee9a6d0b2e3c62174fea7856994c08de122ff4bbff18603a1e76fa50eb27fc5a3ca946a0e99341a570f08d49edd0999c1ce8e39a9da8d3b9ccd015537e154c2a4db093984915c649ceca3f2c1592d424203
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(271830);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/28");

  script_cve_id("CVE-2025-20334");
  script_xref(name:"CISCO-BUG-ID", value:"CSCwn48408");
  script_xref(name:"CISCO-SA", value:"cisco-sa-ios-xe-cmd-inject-rPJM8BGL");
  script_xref(name:"IAVA", value:"2025-A-0773");

  script_name(english:"Cisco IOS XE Software HTTP API Command Injection (cisco-sa-ios-xe-cmd-inject-rPJM8BGL)");

  script_set_attribute(attribute:"synopsis", value:
"A vulnerability in the HTTP API subsystem of Cisco IOS XE Software could allow a remote attacker to inject 
commands that will execute with root privileges into the underlying operating system.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS-XE Software is affected by a vulnerability.

This vulnerability is due to insufficient input validation. An attacker with administrative privileges could 
exploit this vulnerability by authenticating to an affected system and performing an API call with crafted 
input. Alternatively, an unauthenticated attacker could persuade a legitimate user with administrative privileges 
who is currently logged in to the system to click a crafted link. A successful exploit could allow the attacker 
to execute arbitrary commands as the root user.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-xe-cmd-inject-rPJM8BGL
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b843d1e4");
  # https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75296
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?acad5d9e");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwn48408");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwn48408");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-20334");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(77);

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/09/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/09/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/10/28");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xe");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xe_version.nasl");
  script_require_keys("Host/Cisco/IOS-XE/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

var product_info = cisco::get_product_info(name:'Cisco IOS XE Software');

var version_list=make_list(
  '17.9.5',
  '17.9.5a',
  '17.9.5b',
  '17.9.5c',
  '17.9.5d',
  '17.9.5e',
  '17.9.5f',
  '17.9.6',
  '17.9.6a',
  '17.9.6b',
  '17.9.7',
  '17.9.7a',
  '17.9.7b',
  '17.12.2',
  '17.12.2a',
  '17.12.3',
  '17.12.3a',
  '17.12.4',
  '17.12.4a',
  '17.12.4b',
  '17.12.5',
  '17.12.5a',
  '17.12.5b',
  '17.12.5c',
  '17.13.1',
  '17.13.1a',
  '17.14.1',
  '17.14.1a',
  '17.15.1',
  '17.15.1a',
  '17.15.1b',
  '17.15.1w',
  '17.15.1x',
  '17.15.1y',
  '17.15.1z',
  '17.15.2',
  '17.15.2a',
  '17.15.2b',
  '17.15.2c',
  '17.16.1',
  '17.16.1a'
);

var workarounds = make_list(
  CISCO_WORKAROUNDS['generic_workaround']
);

var workaround_params = [
  WORKAROUND_CONFIG['HTTP_Server_iosxe'],
  WORKAROUND_CONFIG['active-session-modules'],
  {'require_all_generic_workarounds': TRUE}
];

var reporting = make_array(
  'port'    , product_info['port'],
  'severity', SECURITY_HOLE,
  'version' , product_info['version'],
  'bug_id'  , 'CSCwn48408',
  'cmds'    , make_list('show running-config')
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list
);

28 Oct 2025 00:00Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.18.8

EPSS0.00075

SSVC