Privilege Escalation Flaw in Cisco AsyncOS for Secure Email and Web Solutions
CVE-2025-20185

3.4LOW

Key Information:

Vendor
Cisco
Status
Cisco Secure Email
Cisco Secure Email And Web Manager
Cisco Secure Web Appliance
Vendor
CVE Published:
5 February 2025

Badges

👾 Exploit Exists

Summary

A vulnerability exists in the remote access functionality of Cisco AsyncOS Software used in Cisco Secure Email and Web appliances, allowing an authenticated local attacker to gain root privileges. This flaw arises from an architectural weakness in the password generation algorithm specific to remote access. By exploiting this vulnerability, an attacker with valid administrative credentials can generate a temporary service account password, leading to the ability to execute arbitrary commands as the root user and access the underlying operating system, posing significant security risks to affected systems.

Affected Version(s)

Cisco Secure Email 14.0.0-698

Cisco Secure Email 13.5.1-277

Cisco Secure Email 13.0.0-392

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:
3.4
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.