CVE-2025-20184

CVE Database · CVE-2025-20184

CVE-2025-20184

· MEDIUMAnalyzed

CVSS v3.1

6.5

EPSS

0.90%

Published

Feb 5, 2025

Modified

Aug 8, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Web Appliance could allow an authenticated, remote attacker to perform command injection attacks against an affected device. The attacker must authenticate with valid administrator credentials. This vulnerability is due to insufficient validation of XML configuration files by an affected device. An attacker could exploit this vulnerability by uploading a crafted XML configuration file. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Weaknesses (CWE)

CWE-20CWE-77

Affected Products (81)

cisco · asyncosvulnerable

· asyncos

References (1)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-multi-yKUJhS34

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs

cisco · asyncosvulnerable

cisco · secure_email_gateway_virtual_appliance_c100v

cisco · secure_email_gateway_virtual_appliance_c300v

cisco · secure_email_gateway_virtual_appliance_c600v

cisco · secure_email_gateway_c195

cisco · secure_email_gateway_c395

cisco · secure_email_gateway_c695

cisco · asyncosvulnerable