CVE-2025-20214

CWE-639Insecure Direct Object Reference4 documents4 sources
Severity
4.3MEDIUM
EPSS
0.2%
top 55.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco Cisco IOS XE SoftwareCisco IOS XE
Timeline
PublishedMay 7

Description

A vulnerability in the Network Configuration Access Control Module (NACM) of Cisco IOS XE Software could allow an authenticated, remote attacker to obtain unauthorized read access to configuration or operational data. This vulnerability exists because a subtle change in inner API call behavior causes results to be filtered incorrectly. An attacker could exploit this vulnerability by using either NETCONF, RESTCONF, or gRPC Network Management Interface (gNMI) protocols and query data on paths that

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5cisco/cisco_ios_xe_software14 versions+13
NVDcisco/ios_xe14 versions+13

🔴Vulnerability Details

2
GHSA
GHSA-fv9x-wjcx-9cgm: A vulnerability in the Network Configuration Access Control Module (NACM) of Cisco IOS XE Software could allow an authenticated, remote attacker to ob2025-05-07
CVEList
CVE-2025-20214: A vulnerability in the Network Configuration Access Control Module (NACM) of Cisco IOS XE Software could allow an authenticated, remote attacker to ob2025-05-07

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Model-Driven Programmability Authorization Bypass Vulnerability2025-05-07