CVE-2025-20240 — Vulnetix

CVE-2025-20240 PUBLISHED CVSS 6.099999904632568 MEDIUM

A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected device. This vulnerability is due to improper sanitization of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a malicious link. A successful exploit could allow the attacker to execute a reflected XSS attack and steal user cookies from the affected device.

EPSS 0.04% · 13.7th percentile

Risk Scores

CVSS 3.1

6.099999904632568

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Score

0.04%

13.7th percentile

Affected Products

Vendor	Product	Versions
Cisco	Cisco IOS XE Software	16.6.1, 16.6.2, 16.6.3

Exploit Intelligence

CIRCL seen: CVE-2025-20240 (circl-sighting)
CIRCL seen: CVE-2025-20240 (circl-sighting)
cisco-sa-webui-xss-VWyDgjOU (circl)

Timeline

Oct 10, 2024 CVE ID Reserved
Sep 24, 2025 CVE Published
Sep 25, 2025 EPSS Score
Sep 25, 2025 PoC Published
Sep 26, 2025 PoC Published
Sep 26, 2025 CVE Updated
Oct 2, 2025 EPSS Score
Oct 3, 2025 Coalition ESS Score
Oct 6, 2025 Coalition ESS Score
Oct 9, 2025 EPSS Score
Oct 15, 2025 EPSS Score
Oct 22, 2025 EPSS Score

References

cisco-sa-webui-xss-VWyDgjOU url
https://nvd.nist.gov/vuln/detail/CVE-2025-20240 advisory

Open in Interactive Console →