CVE-2025-20338 [Medium] | Security Vulnerability in Ios Xe

A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker with administrative privileges to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker could exploit this vulnerability by logging in to the device CLI with valid administrative (level 15) credentials and using crafted commands at the CLI prompt. A successful exploit could allow the attacker to execute arbitrary commands as root.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-09-25	—	0.01%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-09-25

—

0.01%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.0	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:H) They need powerful rights—admin, root, or similar—before this pays off. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:N) Service keeps running; no real outage angle.	0.8	5.2	[email protected]
6.7	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:H) They need powerful rights—admin, root, or similar—before this pays off. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	0.8	5.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.0

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:H): They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N): Service keeps running; no real outage angle.

0.8

5.2

[email protected]

6.7

3.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:H): They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

0.8

5.9

[email protected]

Affected software / configurations for CVE-2025-20338

Vendor	Product	Version	Raw CPE
cisco	ios_xe	3.5.0e	cpe:2.3:o:cisco:ios_xe:3.5.0e:::::::*
cisco	ios_xe	3.5.0sq	cpe:2.3:o:cisco:ios_xe:3.5.0sq:::::::*
cisco	ios_xe	3.5.1e	cpe:2.3:o:cisco:ios_xe:3.5.1e:::::::*
cisco	ios_xe	3.5.1sq	cpe:2.3:o:cisco:ios_xe:3.5.1sq:::::::*
cisco	ios_xe	3.5.2e	cpe:2.3:o:cisco:ios_xe:3.5.2e:::::::*
cisco	ios_xe	3.5.2sq	cpe:2.3:o:cisco:ios_xe:3.5.2sq:::::::*
cisco	ios_xe	3.5.3e	cpe:2.3:o:cisco:ios_xe:3.5.3e:::::::*
cisco	ios_xe	3.5.3sq	cpe:2.3:o:cisco:ios_xe:3.5.3sq:::::::*
cisco	ios_xe	3.5.4sq	cpe:2.3:o:cisco:ios_xe:3.5.4sq:::::::*
cisco	ios_xe	3.5.5sq	cpe:2.3:o:cisco:ios_xe:3.5.5sq:::::::*
cisco	ios_xe	3.5.6sq	cpe:2.3:o:cisco:ios_xe:3.5.6sq:::::::*
cisco	ios_xe	3.5.7sq	cpe:2.3:o:cisco:ios_xe:3.5.7sq:::::::*
cisco	ios_xe	3.5.8sq	cpe:2.3:o:cisco:ios_xe:3.5.8sq:::::::*
cisco	ios_xe	3.6.0e	cpe:2.3:o:cisco:ios_xe:3.6.0e:::::::*
cisco	ios_xe	3.6.1e	cpe:2.3:o:cisco:ios_xe:3.6.1e:::::::*
cisco	ios_xe	3.6.2ae	cpe:2.3:o:cisco:ios_xe:3.6.2ae:::::::*
cisco	ios_xe	3.6.2e	cpe:2.3:o:cisco:ios_xe:3.6.2e:::::::*
cisco	ios_xe	3.6.3e	cpe:2.3:o:cisco:ios_xe:3.6.3e:::::::*
cisco	ios_xe	3.6.4e	cpe:2.3:o:cisco:ios_xe:3.6.4e:::::::*
cisco	ios_xe	3.6.5ae	cpe:2.3:o:cisco:ios_xe:3.6.5ae:::::::*
cisco	ios_xe	3.6.5e	cpe:2.3:o:cisco:ios_xe:3.6.5e:::::::*
cisco	ios_xe	3.6.6e	cpe:2.3:o:cisco:ios_xe:3.6.6e:::::::*
cisco	ios_xe	3.6.7be	cpe:2.3:o:cisco:ios_xe:3.6.7be:::::::*
cisco	ios_xe	3.6.7e	cpe:2.3:o:cisco:ios_xe:3.6.7e:::::::*
cisco	ios_xe	3.6.8e	cpe:2.3:o:cisco:ios_xe:3.6.8e:::::::*
cisco	ios_xe	3.6.9e	cpe:2.3:o:cisco:ios_xe:3.6.9e:::::::*
cisco	ios_xe	3.6.10e	cpe:2.3:o:cisco:ios_xe:3.6.10e:::::::*
cisco	ios_xe	3.7.0e	cpe:2.3:o:cisco:ios_xe:3.7.0e:::::::*
cisco	ios_xe	3.7.1e	cpe:2.3:o:cisco:ios_xe:3.7.1e:::::::*
cisco	ios_xe	3.7.2e	cpe:2.3:o:cisco:ios_xe:3.7.2e:::::::*
cisco	ios_xe	3.7.3e	cpe:2.3:o:cisco:ios_xe:3.7.3e:::::::*
cisco	ios_xe	3.7.4e	cpe:2.3:o:cisco:ios_xe:3.7.4e:::::::*
cisco	ios_xe	3.7.5e	cpe:2.3:o:cisco:ios_xe:3.7.5e:::::::*
cisco	ios_xe	3.8.0e	cpe:2.3:o:cisco:ios_xe:3.8.0e:::::::*
cisco	ios_xe	3.8.1e	cpe:2.3:o:cisco:ios_xe:3.8.1e:::::::*
cisco	ios_xe	3.8.2e	cpe:2.3:o:cisco:ios_xe:3.8.2e:::::::*
cisco	ios_xe	3.8.3e	cpe:2.3:o:cisco:ios_xe:3.8.3e:::::::*
cisco	ios_xe	3.8.4e	cpe:2.3:o:cisco:ios_xe:3.8.4e:::::::*
cisco	ios_xe	3.8.5ae	cpe:2.3:o:cisco:ios_xe:3.8.5ae:::::::*
cisco	ios_xe	3.8.5e	cpe:2.3:o:cisco:ios_xe:3.8.5e:::::::*
cisco	ios_xe	3.8.6e	cpe:2.3:o:cisco:ios_xe:3.8.6e:::::::*
cisco	ios_xe	3.8.7e	cpe:2.3:o:cisco:ios_xe:3.8.7e:::::::*
cisco	ios_xe	3.8.8e	cpe:2.3:o:cisco:ios_xe:3.8.8e:::::::*
cisco	ios_xe	3.8.9e	cpe:2.3:o:cisco:ios_xe:3.8.9e:::::::*
cisco	ios_xe	3.8.10e	cpe:2.3:o:cisco:ios_xe:3.8.10e:::::::*
cisco	ios_xe	3.8.10ee	cpe:2.3:o:cisco:ios_xe:3.8.10ee:::::::*
cisco	ios_xe	3.9.0e	cpe:2.3:o:cisco:ios_xe:3.9.0e:::::::*
cisco	ios_xe	3.9.1e	cpe:2.3:o:cisco:ios_xe:3.9.1e:::::::*
cisco	ios_xe	3.9.2e	cpe:2.3:o:cisco:ios_xe:3.9.2e:::::::*
cisco	ios_xe	3.10.0ce	cpe:2.3:o:cisco:ios_xe:3.10.0ce:::::::*
cisco	ios_xe	3.10.0e	cpe:2.3:o:cisco:ios_xe:3.10.0e:::::::*
cisco	ios_xe	3.10.1e	cpe:2.3:o:cisco:ios_xe:3.10.1e:::::::*
cisco	ios_xe	3.10.2e	cpe:2.3:o:cisco:ios_xe:3.10.2e:::::::*
cisco	ios_xe	3.10.3e	cpe:2.3:o:cisco:ios_xe:3.10.3e:::::::*
cisco	ios_xe	3.11.0e	cpe:2.3:o:cisco:ios_xe:3.11.0e:::::::*
cisco	ios_xe	3.11.0s	cpe:2.3:o:cisco:ios_xe:3.11.0s:::::::*
cisco	ios_xe	3.11.1ae	cpe:2.3:o:cisco:ios_xe:3.11.1ae:::::::*
cisco	ios_xe	3.11.1e	cpe:2.3:o:cisco:ios_xe:3.11.1e:::::::*
cisco	ios_xe	3.11.1s	cpe:2.3:o:cisco:ios_xe:3.11.1s:::::::*
cisco	ios_xe	3.11.2e	cpe:2.3:o:cisco:ios_xe:3.11.2e:::::::*
cisco	ios_xe	3.11.2s	cpe:2.3:o:cisco:ios_xe:3.11.2s:::::::*
cisco	ios_xe	3.11.3ae	cpe:2.3:o:cisco:ios_xe:3.11.3ae:::::::*
cisco	ios_xe	3.11.3e	cpe:2.3:o:cisco:ios_xe:3.11.3e:::::::*
cisco	ios_xe	3.11.3s	cpe:2.3:o:cisco:ios_xe:3.11.3s:::::::*
cisco	ios_xe	3.11.4e	cpe:2.3:o:cisco:ios_xe:3.11.4e:::::::*
cisco	ios_xe	3.11.4s	cpe:2.3:o:cisco:ios_xe:3.11.4s:::::::*
cisco	ios_xe	3.11.5e	cpe:2.3:o:cisco:ios_xe:3.11.5e:::::::*
cisco	ios_xe	3.11.6e	cpe:2.3:o:cisco:ios_xe:3.11.6e:::::::*
cisco	ios_xe	3.11.7e	cpe:2.3:o:cisco:ios_xe:3.11.7e:::::::*
cisco	ios_xe	3.11.8e	cpe:2.3:o:cisco:ios_xe:3.11.8e:::::::*
cisco	ios_xe	3.11.9e	cpe:2.3:o:cisco:ios_xe:3.11.9e:::::::*
cisco	ios_xe	3.11.10e	cpe:2.3:o:cisco:ios_xe:3.11.10e:::::::*
cisco	ios_xe	3.11.11e	cpe:2.3:o:cisco:ios_xe:3.11.11e:::::::*
cisco	ios_xe	3.11.12e	cpe:2.3:o:cisco:ios_xe:3.11.12e:::::::*
cisco	ios_xe	3.12.0as	cpe:2.3:o:cisco:ios_xe:3.12.0as:::::::*
cisco	ios_xe	3.12.0s	cpe:2.3:o:cisco:ios_xe:3.12.0s:::::::*
cisco	ios_xe	3.12.1s	cpe:2.3:o:cisco:ios_xe:3.12.1s:::::::*
cisco	ios_xe	3.12.2s	cpe:2.3:o:cisco:ios_xe:3.12.2s:::::::*
cisco	ios_xe	3.12.3s	cpe:2.3:o:cisco:ios_xe:3.12.3s:::::::*
cisco	ios_xe	3.12.4s	cpe:2.3:o:cisco:ios_xe:3.12.4s:::::::*

References for CVE-2025-20338

URL	Tags
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-arg-inject-EyDDbh4e	Vendor Advisory

URL

CVE-2025-20338

Exploit prediction scoring system (EPSS) score for CVE-2025-20338

Common vulnerability scoring system (CVSS) metrics for CVE-2025-20338

Weakness enumeration for CVE-2025-20338

Affected software / configurations for CVE-2025-20338

References for CVE-2025-20338