CVE-2025-20185
Published: Feb 5, 2025
Modified: Feb 5, 2025
CVSS v3.1
3.4
Description
A vulnerability in the implementation of the remote access functionality of Cisco AsyncOS Software for Cisco Secure Email and Web Manager, Cisco Secure Email Gateway, and Cisco Secure Web Appliance could allow an authenticated, local attacker to elevate privileges to root. The attacker must authenticate with valid administrator credentials. This vulnerability is due to an architectural flaw in the password generation algorithm for the remote access functionality. An attacker could exploit this vulnerability by generating a temporary password for the service account. A successful exploit could allow the attacker to execute arbitrary commands as root and access the underlying operating system. Note: The Security Impact Rating (SIR) for this vulnerability is Medium due to the unrestricted scope of information that is accessible to an attacker.
| Vendor | Product | Versions |
|---|---|---|
Cisco | Cisco Secure Email | affected 14.0.0-698affected 13.5.1-277affected 13.0.0-392affected 14.2.0-620affected 13.0.5-007+9 more versions |
Cisco | Cisco Secure Email and Web Manager | affected 13.6.2-023affected 13.6.2-078affected 13.0.0-249affected 13.0.0-277affected 13.8.1-052+16 more versions |
Cisco | Cisco Secure Web Appliance | affected 11.8.0-453affected 12.5.3-002affected 12.0.3-007affected 12.0.3-005affected 14.1.0-032+48 more versions |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now