CVE-2025-20278

CWE-77 — Command Injection4 documents4 sources

Severity

6.7MEDIUM

EPSS

0.1%

top 78.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Unified Intelligence Center Cisco Virtualized Voice Browser Cisco Cisco Finesse +13 more

Timeline

PublishedJun 4

Description

A vulnerability in the CLI of multiple Cisco Unified Communications products could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device as the root user. This vulnerability is due to improper validation of user-supplied command arguments. An attacker could exploit this vulnerability by executing crafted commands on the CLI of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 0.8 | Impact: 5.2

Affected Packages16 packages

▶NVDcisco/unified_communications_manager12 versions+11

▶CVEListV5cisco/cisco_unified_communications_manager21 versions+20

▶NVDcisco/unified_communications_manager_im_and_presence_service10 versions+9

▶CVEListV5cisco/cisco_unified_communications_manager_im_and_presence_service19 versions+18

▶NVDcisco/unified_intelligence_center< 12.6\(2\)es_04

🔴Vulnerability Details

CVEList

Cisco Unified Communications Products Command Injection Vulnerability↗2025-06-04

▶

GHSA

GHSA-qvpj-hmr8-j79p: A vulnerability in the CLI of multiple Cisco Unified Communications products could allow an authenticated, local attacker to execute arbitrary command↗2025-06-04

▶