Is CVE-2025-20138 actively exploited?

CVE-2025-20138 has no public evidence of in-the-wild exploitation as of 2025-07-31.

What is the CVSS score for CVE-2025-20138?

CVE-2025-20138 has a CVSS score of 8.8 (HIGH severity). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

How do I patch CVE-2025-20138?

Patch guidance is available from cisco security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2025-20138.

Which products are affected by CVE-2025-20138?

2 products: cisco ios xr, cisco ios xr.

Fix CVE-2025-20138 - HIGH cisco ios xr

Description

A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root and execute arbitrary commands.

CVSS Metrics

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector: local
Complexity: low
Privileges: low
User Action: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: high
Weaknesses: CWE-78 · OS Command Injection

Metadata

Primary Vendor: CISCO
Published: 3/12/2025
Last Modified: 7/31/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2025-20138

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary