Skip to main content

Apple CVE-2026-20125

| EUVDEUVD-2026-15449 HIGH
Improper Handling of Syntactically Invalid Structure (CWE-228)
2026-03-25 cisco
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:16 euvd
EUVD-2026-15449
Analysis Generated
Mar 25, 2026 - 16:16 vuln.today
CVE Published
Mar 25, 2026 - 16:04 nvd
HIGH 7.7

DescriptionCVE.org

A vulnerability in the HTTP Server feature of Cisco IOS Software and Cisco IOS XE Software Release 3E could allow an authenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malformed HTTP requests to an affected device. A successful exploit could allow the attacker to cause a watchdog timer to expire and the device to reload, resulting in a DoS condition. To exploit this vulnerability, the attacker must have a valid user account.

AnalysisAI

HTTP Server input validation failures in Cisco IOS and IOS XE Release 3E enable authenticated remote attackers to trigger device reloads via malformed requests, causing denial of service. An attacker with valid credentials can exploit improper input handling to exhaust watchdog timers and force unexpected system restarts. No patch is currently available for this vulnerability affecting Cisco and Apple products.

Technical ContextAI

This vulnerability stems from CWE-228 (Improper Handling of Syntactically Invalid Structure), where the HTTP Server component in Cisco IOS and IOS XE software fails to properly validate user-supplied input in HTTP requests. The affected products span a wide range of Cisco network devices running IOS versions from 12.2 through 15.9 and IOS XE versions from 3.5 through 3.18, as indicated by CPE entries cpe:2.3:a:cisco:ios and cpe:2.3:a:cisco:cisco_ios_xe_software. The HTTP Server feature, when enabled on these devices, processes incoming HTTP requests without adequate input sanitization, allowing malformed requests to trigger watchdog timer failures that force a device reload. The vulnerability's scope change (S:C) in the CVSS vector indicates that the impact extends beyond the vulnerable component itself.

RemediationAI

Apply security updates as recommended in the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-http-dos-sbv8XRpL, which provides specific fixed versions for each affected release train. Until patching is completed, disable the HTTP Server feature if not required for management operations using the 'no ip http server' and 'no ip http secure-server' commands in global configuration mode. If HTTP/HTTPS management access is necessary, implement strict access control lists (ACLs) to limit HTTP Server access to only trusted management networks and IP addresses, enforce strong authentication mechanisms, and monitor for suspicious HTTP request patterns that could indicate exploitation attempts. Deploy out-of-band management networks where possible to isolate device management traffic from production networks. Prioritize patching for devices with internet-facing management interfaces or those accessible from less-trusted network segments.

Share

CVE-2026-20125 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy