CVE-2025-20161

CWE-78OS Command Injection4 documents4 sources
Severity
5.1MEDIUM
EPSS
0.0%
top 91.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cisco Cisco Nx-os Software
Timeline
PublishedFeb 26

Description

A vulnerability in the software upgrade process of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an authenticated, local attacker with valid Administrator credentials to execute a command injection attack on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of specific elements within a software image. An attacker could exploit this vulnerability by installing a crafted image.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:NExploitability: 0.8 | Impact: 4.2

Affected Packages1 packages

CVEListV5cisco/cisco_nx-os_software124 versions+123

🔴Vulnerability Details

2
CVEList
Cisco NX-OS Software Command Injection Vulnerability2025-02-26
GHSA
GHSA-wc27-6x2h-q38w: A vulnerability in the software upgrade process of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode coul2025-02-26

📋Vendor Advisories

1
Cisco
Cisco Nexus 3000 and 9000 Series Switches Command Injection Vulnerability2025-02-26
CVE-2025-20161 (MEDIUM CVSS 5.1) | A vulnerability in the software upg | cvebase.io