Cisco IOS XR up to 24.4.10 CLI os command injection

Summaryinfo

A vulnerability marked as critical has been reported in Cisco IOS XR. This impacts an unknown function of the component CLI. Performing a manipulation results in os command injection. This vulnerability was named CVE-2025-20138. The attack needs to be approached locally. There is no available exploit. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability classified as critical has been found in Cisco IOS XR. This affects an unknown code of the component CLI. The manipulation with an unknown input leads to a os command injection vulnerability. CWE is classifying the issue as CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root and execute arbitrary commands.

It is possible to read the advisory at sec.cloudapps.cisco.com. This vulnerability is uniquely identified as CVE-2025-20138 since 10/10/2024. The exploitability is told to be easy. Attacking locally is a requirement. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 11/11/2025). The attack technique deployed by this issue is T1202 according to MITRE ATT&CK.

The vulnerability scanner Nessus provides a plugin with the ID 274616 (Cisco IOS XR Software CLI Privilege Escalation (cisco-sa-iosxr-priv-esc-GFQjxvOF)), which helps to determine the existence of the flaw in a target environment.

Upgrading eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (274616). Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Router Operating System

Vendor

• Cisco

Name

• IOS XR

Version

• 6.5.1
• 6.5.2
• 6.5.3
• 6.5.15
• 6.5.25
• 6.5.26
• 6.5.28
• 6.5.29
• 6.5.31
• 6.5.32
• 6.5.33
• 6.5.35
• 6.5.90
• 6.5.92
• 6.5.93
• 6.6.1
• 6.6.2
• 6.6.3
• 6.6.4
• 6.6.11
• 6.6.12
• 6.6.25
• 6.7.2
• 6.7.4
• 7.0.0
• 7.0.1
• 7.0.2
• 7.0.11
• 7.0.12
• 7.0.14
• 7.0.90
• 7.1.1
• 7.1.2
• 7.1.3
• 7.1.15
• 7.1.25
• 7.2.0
• 7.2.1
• 7.2.2
• 7.2.12
• 7.3.1
• 7.3.2
• 7.3.3
• 7.3.4
• 7.3.5
• 7.3.6
• 7.3.15
• 7.3.16
• 7.3.27
• 7.4.1
• 7.4.2
• 7.4.15
• 7.4.16
• 7.5.1
• 7.5.2
• 7.5.3
• 7.5.4
• 7.5.5
• 7.5.12
• 7.5.52
• 7.6.1
• 7.6.2
• 7.6.3
• 7.6.15
• 7.7.1
• 7.7.2
• 7.7.21
• 7.8.1
• 7.8.2
• 7.8.12
• 7.8.22
• 7.8.23
• 7.9.1
• 7.9.2
• 7.9.21
• 7.10.1
• 7.10.2
• 7.11.1
• 7.11.2
• 7.11.21
• 24.1.1
• 24.1.2
• 24.2.1
• 24.2.2
• 24.2.11
• 24.2.20
• 24.3.1
• 24.3.2
• 24.3.20
• 24.4.10

License

• commercial

Website

• Vendor: https://www.cisco.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion