CVE-2025-20184

Summary

A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Web Appliance could allow an authenticated, remote attacker to perform command injection attacks against an affected device. The attacker must authenticate with valid administrator credentials.

This vulnerability is due to insufficient validation of XML configuration files by an affected device. An attacker could exploit this vulnerability by uploading a crafted XML configuration file. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Secure Email14.0.0-698affected
CiscoCisco Secure Email13.5.1-277affected
CiscoCisco Secure Email13.0.0-392affected
CiscoCisco Secure Email14.2.0-620affected
CiscoCisco Secure Email13.0.5-007affected
CiscoCisco Secure Email13.5.4-038affected
CiscoCisco Secure Email14.2.1-020affected
CiscoCisco Secure Email14.3.0-032affected
CiscoCisco Secure Email15.0.0-104affected
CiscoCisco Secure Email15.0.1-030affected
CiscoCisco Secure Email15.5.0-048affected
CiscoCisco Secure Email15.5.1-055affected
CiscoCisco Secure Email15.5.2-018affected
CiscoCisco Secure Email15.0.3-002affected
CiscoCisco Secure Email15.5.3-022affected
CiscoCisco Secure Web Appliance11.8.0-453affected
CiscoCisco Secure Web Appliance12.5.3-002affected
CiscoCisco Secure Web Appliance12.0.3-007affected
CiscoCisco Secure Web Appliance12.0.3-005affected
CiscoCisco Secure Web Appliance14.1.0-032affected
CiscoCisco Secure Web Appliance14.1.0-047affected
CiscoCisco Secure Web Appliance14.1.0-041affected
CiscoCisco Secure Web Appliance12.0.4-002affected
CiscoCisco Secure Web Appliance14.0.2-012affected
CiscoCisco Secure Web Appliance11.8.0-414affected
CiscoCisco Secure Web Appliance12.0.1-268affected
CiscoCisco Secure Web Appliance11.8.1-023affected
CiscoCisco Secure Web Appliance11.8.3-021affected
CiscoCisco Secure Web Appliance11.8.3-018affected
CiscoCisco Secure Web Appliance12.5.1-011affected
CiscoCisco Secure Web Appliance11.8.4-004affected
CiscoCisco Secure Web Appliance12.5.2-007affected
CiscoCisco Secure Web Appliance12.5.2-011affected
CiscoCisco Secure Web Appliance14.5.0-498affected
CiscoCisco Secure Web Appliance12.5.4-005affected
CiscoCisco Secure Web Appliance12.5.4-011affected
CiscoCisco Secure Web Appliance12.0.5-011affected
CiscoCisco Secure Web Appliance14.0.3-014affected
CiscoCisco Secure Web Appliance12.5.5-004affected
CiscoCisco Secure Web Appliance12.5.5-005affected
CiscoCisco Secure Web Appliance12.5.5-008affected
CiscoCisco Secure Web Appliance14.0.4-005affected
CiscoCisco Secure Web Appliance14.5.1-008affected
CiscoCisco Secure Web Appliance14.5.1-016affected
CiscoCisco Secure Web Appliance15.0.0-355affected
CiscoCisco Secure Web Appliance15.0.0-322affected
CiscoCisco Secure Web Appliance12.5.6-008affected
CiscoCisco Secure Web Appliance15.1.0-287affected
CiscoCisco Secure Web Appliance14.5.2-011affected
CiscoCisco Secure Web Appliance15.2.0-116affected
CiscoCisco Secure Web Appliance14.0.5-007affected
CiscoCisco Secure Web Appliance15.2.0-164affected
CiscoCisco Secure Web Appliance14.5.1-510affected
CiscoCisco Secure Web Appliance12.0.2-012affected
CiscoCisco Secure Web Appliance12.0.2-004affected
CiscoCisco Secure Web Appliance14.5.1-607affected
CiscoCisco Secure Web Appliance14.5.3-033affected
CiscoCisco Secure Web Appliance15.0.1-004affected
CiscoCisco Secure Web Appliance15.2.1-011affected
CiscoCisco Secure Web Appliance14.5.0-673affected
CiscoCisco Secure Web Appliance14.5.0-537affected
CiscoCisco Secure Web Appliance12.0.1-334affected
CiscoCisco Secure Web Appliance14.0.1-503affected
CiscoCisco Secure Web Appliance14.0.1-053affected
CiscoCisco Secure Web Appliance11.8.0-429affected
CiscoCisco Secure Web Appliance14.0.1-040affected
CiscoCisco Secure Web Appliance14.0.1-014affected
CiscoCisco Secure Web Appliance12.5.1-043affected

Weaknesses

  • CWE-20: Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References