Affected Vendors
- Cisco – 7 CVEs
- Netgear – 3 CVEs
- Zyxel – 2 CVEs
- Fortinet – 2 CVEs
- TP-Link – 2 CVEs
Critical Vulnerabilities Demand Immediate Action
This week brought three critical-severity CVEs that require urgent attention across your router fleet. CVE-2025-20337 is the most severe: an unauthenticated, remote code execution (RCE) flaw in Cisco ISE and ISE-PIC with a perfect CVSS score of 10.0. An attacker needs no credentials to exploit this API vulnerability and gain root-level access to the underlying operating system. If you're running Cisco ISE in your environment, patching should be your top priority.
CVE-2025-25257 affects Fortinet FortiWeb appliances (versions 7.6.0–7.6.3 and 7.4.0–7.4.7) and is a SQL injection vulnerability with a CVSS of 9.8. SQL injection flaws can enable attackers to extract sensitive data, modify databases, or execute administrative commands on the device. Fortinet has likely released patches—check your FortiWeb instances immediately and apply updates.
CVE-2025-7673 is a buffer overflow in the Zyxel VMG8825-T50K (firmware versions prior to V5.50(ABOM.5)C0) that could result in denial-of-service or, in some cases, code execution. If you manage this Zyxel model, firmware updates are essential.
Secondary High-Priority Issue
CVE-2025-6265 is rated High (CVSS 7.2) and affects the Zyxel NWA50AX PRO wireless access point. A path traversal vulnerability in the file upload function allows authenticated administrators with malicious intent to bypass restrictions. While this requires admin credentials, it's a clear privilege escalation risk worth monitoring.
Medium-Severity Issues: Cisco, Netgear, and Fortinet
Cisco contributed five medium-severity CVEs this week, spanning ISE, Unified Intelligence Center, Prime Infrastructure, and EPNM. Of these, CVE-2025-20284 and CVE-2025-20283 both involve authenticated RCE in ISE and ISE-PIC APIs (CVSS 6.5 each). While they require valid credentials, they still pose a risk if internal accounts are compromised. CVE-2025-20274 allows authenticated users to upload arbitrary files to Cisco UIC, and CVE-2025-20288 enables unauthenticated information disclosure. Review your Cisco product versions and apply available patches.
Netgear XR300 users should be aware of three related medium-severity buffer overflows (CVE-2025-52080, CVE-2025-52081, CVE-2025-52082, all CVSS 6.5) affecting the HTTPD service on firmware V1.0.3.38_10.3.30. These flaws exist in the usb_device.cgi endpoint and could allow DoS or code execution. Check your XR300 firmware version and update if available.
Fortinet FortiOS has a heap-based buffer overflow (CVE-2025-24477, CVSS 4.2) in versions 7.6.0–7.6.2, 7.4.0–7.4.7, and 7.2.4–7.2.12. While lower-severity, buffer overflows in OS-level code warrant attention in your patch schedule.
Low-Risk Findings
TP-Link Archer routers have two unscored or low-impact CVEs: hardcoded credentials in Archer C50/C1200 models and a clickjacking vulnerability in the web management interface. These are generally lower-priority unless you're concerned about internal network access.
Recommended Actions
- Immediate (24–48 hours): Patch Cisco ISE for CVE-2025-20337; check for FortiWeb updates addressing CVE-2025-25257; update Zyxel VMG8825-T50K firmware to V5.50(ABOM.5)C0 or later.
- This week: Inventory Netgear XR300 devices and apply firmware updates; patch Cisco UIC, ISE, Prime Infrastructure, and EPNM instances.
- Ongoing: Review vendor security advisories and establish a schedule for medium-severity patches. Monitor your device firmware versions against this CVE list.