September 25, 2025
During a hospital security assessment, we discovered a reflected XSS vulnerability in Cisco IOS XE Web UI. The issue identified as CVE-2025-20240 could allow attackers to steal session tokens via crafted links.
We reported it to Cisco PSIRT, and after multiple meetings and environment recreations, Cisco confirmed the bug and published an official security advisory.
Affected devices should be patched immediately. Details are available in the Cisco advisory.
Security assessments often take us into environments where technology and human lives are closely connected. During one such hospital security assessment, we stumbled upon a vulnerability with far-reaching implications.
While testing the web management interface of Cisco IOS XE devices, we discovered a reflected cross-site scripting (XSS) vulnerability. This meant that an attacker could trick someone into clicking a malicious link, and if successful, the attacker could steal session cookies and hijack accounts of any website the victim has logged into. In a hospital setting, this could even mean access to network devices critical for patient care.
The vulnerability was captured in our proof-of-concept artifacts, including screenshots and request/response logs, but once the assessment concluded, our access to the hospital environment ended. When Cisco PSIRT later requested additional details and live reproduction steps, we no longer had the original setup to demonstrate the issue.
This could have stalled the investigation — but Cisco’s collaboration was invaluable. They held multiple meetings with us, patiently walking through every detail we could recall about the environment and its configuration. After several iterations, Cisco successfully recreated the exact environment and were able to fully confirm and validate the vulnerability.
The web interface of Cisco IOS XE devices failed to sanitize user-supplied input. So when a user clicked a specially crafted link, malicious script could be reflected back. If a victim’s browser then executes that reflected payload, it opens room for cookie/token theft or session hijacking.
From a technical standpoint, this is a reflected cross-site scripting (XSS) vulnerability in Cisco IOS XE’s Web UI. The vulnerability is identified as CVE-2025-20240, and has a CVSS score of 6.1. Under certain configurations, attackers could trick victims into visiting a crafted URL and exfiltrate tokens or cookies of any website, the victim has logged into, to a domain under their control, making this a pseudo universal xss.
If exploited, the vulnerability could allow an attacker to run arbitrary scripts in the context of the Web UI, potentially stealing cookies, tokens, or session identifiers.
Here’s how the journey unfolded:
| Date | Milestone |
|---|---|
| June 28, 2024 | Initial vulnerability report submitted to Cisco PSIRT with reproduction steps, impact, and potential fixes. |
| July 11, 2024 | Cisco acknowledged and opened an incident ticket. |
| July 2024 | Back-and-forth clarifications, screenshot requests, and later a request for video PoC. |
| July–August 2024 | Multiple discussions and Webex calls to reconstruct the environment. Since we no longer had access, Cisco engineers recreated it step by step. |
| August 28, 2024 | Cisco successfully reproduced the issue in their environment. |
| September 24, 2025 | Cisco published the official advisory and defect notice. |
Cisco PSIRT’s professionalism and persistence were commendable—they didn’t drop the case when evidence was limited but instead worked closely with us to validate the issue properly.
Cisco has released software updates that fully address this vulnerability. Because there are no permanent workarounds, upgrading to the fixed versions is strongly recommended.
For detailed instructions, affected versions, and configuration checks, please refer directly to Cisco’s official advisory:
🔗 Cisco Security Advisory – cisco-sa-webui-xss-VWyDgjOU
This research was carried out by me, Aswin M Guptha, together with my colleague Abhinand N from Traboda CyberLabs.
A special thanks to the Cisco PSIRT team for their patience and collaboration throughout the process. Their willingness to hold multiple discussions, rebuild the test environment, and validate the issue made this disclosure possible.
Official advisory: Cisco Security Advisory – cisco-sa-webui-xss-VWyDgjOU
🧵 Thanks for reading! This research underscored the importance of preserving artifacts, especially when access to the original environment is lost, and reminded us that responsible disclosure is a collaborative effort between researchers and vendors. Stay curious, stay safe, and keep exploring the world of security research!