CVE-2025-20118

CWE-212 CWE-77 — Command Injection CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

4.4MEDIUM

EPSS

0.0%

top 87.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Cisco Application Policy Infrastructure Controller (apic)Cisco Application Policy Infrastructure Controller

Timeline

PublishedFeb 26

Latest updateMar 3

Description

A vulnerability in the implementation of the internal system processes of Cisco APIC could allow an authenticated, local attacker to access sensitive information on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient masking of sensitive information that is displayed through system CLI commands. An attacker could exploit this vulnerability by using reconnaissance techniques at the device CLI. A suc…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5cisco/cisco_application_policy_infrastructure_controller_(apic)128 versions+127

▶NVDcisco/application_policy_infrastructure_controller128 versions+127

🔴Vulnerability Details

GHSA

GHSA-hgqp-f75h-6p8r: A vulnerability in the implementation of the internal system processes of Cisco APIC could allow an authenticated, local attacker to access sensitive↗2025-02-26

▶

CVEList

Cisco Application Policy Infrastructure Controller Authenticated Command Injection Due to Sensitive Disclosure Vulnerability↗2025-02-26

▶

📋Vendor Advisories

CISA

Cisco Small Business RV Series Routers Command Injection Vulnerability↗2025-03-03

▶

Cisco

Cisco Application Policy Infrastructure Controller Vulnerabilities↗2025-02-26

▶