PRP: Cisco Secure ASA / FTD / IOS / IOS XE / IOS XR Web Services CVE-2025-20363 RCE

[0xXA]

• Identifier of the vulnerability: CVE-2025-20363
• Affected software: Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, and Cisco IOS / IOS XE / IOS XR web services.
• Type of vulnerability: Remote Code Execution
• Requires authentication: No
• Language you would use for writing the plugin: Templated plugins
• Resources:
  • https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-http-code-exec-WmfP3h3O.html
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O

[github-actions]

Welcome to the Tsunami patch reward program!

Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.

Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.

~The Tsunami PRP team

[github-actions]

This message is addressed to the Tsunami panel.

Contributor stats

• The contributor has 0 issues tagged as main;
• The contributor has 0 issues tagged as queue.

Useful links

• All open issues from this contributor
• All open PRs from this contributor

[tooryx]

Hi @0xXA,

How would you setup the testbed? I am a bit worried that setting it up turns out to be very difficult.

Thank you,
~tooryx

[0xXA]

Hi @0xXA,

How would you setup the testbed? I am a bit worried that setting it up turns out to be very difficult.

Thank you, ~tooryx

Hi @tooryx

I hope you're doing well :)

We can setup a simple HTTP test server to return crafted responses that emulate Cisco appliance behaviour like ASA login page body containing Adaptive Security Appliance, ASDM headers (Server: Cisco-ASA), FTD/Firepower bodies: contain Firepower Device Manager or Cisco Secure Firewall.

Existence of all these headers can be easily confirmed with Shodan. And I'm sure you don't want to store an active exploit or licenced software in any of your repos and get a DMCA notice or licencing issue. So we can't include any legit or pirated Cisco firmware / software. Thus, I suggested a mock http server.

If you have any suggestions related to design, etc, feel free to suggest something.

Although we have never interacted before. Are you by any chance from Erik Varga's team !?
Just curious :)

Thanks,
Yuvraj

[tooryx]

Automated message: Do not reply to that comment or tag the author. We just announced a temporary program freeze please see #752 for details. Thank you for your understanding and patience.