Affected Vendors
- Cisco: 20 CVEs (2 critical, 7 high, 11 medium)
Executive Summary
This week brings a significant spike in Cisco vulnerabilities, with 20 new CVEs across multiple product lines. Two critical issues demand immediate attention: a VPN web server flaw in Secure Firewall ASA/FTD and a broader web services vulnerability affecting ASA, FTD, IOS, and IOS XE platforms. Organizations running Cisco infrastructure should prioritize patching this week.
Critical Vulnerabilities
CVE-2025-20333 (CVSS 9.9) is the week's highest-severity issue, affecting the VPN web server in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software. An authenticated remote attacker could exploit this vulnerability to cause significant impact. Given the critical nature of firewalls in network architecture, this should be patched immediately on production systems.
CVE-2025-20363 (CVSS 9.0) is nearly as severe and affects a wider attack surface. This web services vulnerability impacts Cisco Secure Firewall ASA, Secure Firewall FTD, IOS, and IOS XE Software. The breadth of affected platforms makes this a priority for any organization running multiple Cisco product lines.
High-Severity Issues Requiring Urgent Attention
CVE-2025-20334 (CVSS 8.8) is a particularly dangerous command injection flaw in the HTTP API subsystem of Cisco IOS XE Software. A remote attacker could inject commands that execute with root privileges—the highest level of system access. This is critical for network administrators managing IOS XE-based routers and switches.
CVE-2025-20315 (CVSS 8.6) affects the Network-Based Application Recognition (NBAR) feature in IOS XE Software and could allow an unauthenticated, remote attacker to cause device reload (denial of service). While not as severe as the command injection, DoS attacks can cascade across network infrastructure.
CVE-2025-20160 (CVSS 8.1) impacts the TACACS+ protocol implementation in both IOS and IOS XE Software. An unauthenticated remote attacker could view sensitive data or bypass authentication—a direct threat to network access control systems.
Three additional high-severity flaws affect the SNMP subsystem (CVE-2025-20352, CVE-2025-20312) and web UI (CVE-2025-20327) of IOS and IOS XE, primarily causing denial of service conditions but still requiring timely patches.
Medium-Severity and Lower-Impact Issues
The remaining 11 medium-severity CVEs include CVE-2025-20311, which affects Catalyst 9000 Series Switches, and CVE-2025-20313, which requires local access or level-15 privileges. While less immediately exploitable from the internet, these should still be included in routine patching schedules.
Recommended Actions
- Immediate (today): Check Cisco security advisories for CVE-2025-20333 and CVE-2025-20363. Determine which of your ASA, FTD, IOS, and IOS XE devices are affected and prioritize patching.
- This week: Develop a patching plan for CVE-2025-20334 (command injection) and CVE-2025-20315 (NBAR DoS) on IOS XE infrastructure.
- Ongoing: Review your TACACS+ and SNMP configurations (CVE-2025-20160, CVE-2025-20352, CVE-2025-20312). Consider disabling SNMP if not in active use, or restrict access via ACLs.
- Testing: Before deploying patches to production, validate them in a lab environment to ensure compatibility with your network configurations.
For more details on each vulnerability, search RouterCVE.com by CVE ID to access Cisco's official security advisories and patch availability timelines.