cbcvebase.
CVE-2025-20287
published 2025-09-03

CVE-2025-20287: A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.29%
21.2th percentile
A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to improper validation of files that are uploaded to the web-based management interface. An attacker could exploit this vulnerability by sending a crafted file upload request to a specific API endpoint. A successful exploit could allow the attacker to upload arbitrary files to an affected system. To exploit this vulnerability, an attacker must have at least valid Config Managers credentials on the affected device.

Affected

16 ranges
VendorProductVersion rangeFixed in
ciscocisco_evolved_programmable_network_manager
ciscocisco_evolved_programmable_network_manager
ciscocisco_evolved_programmable_network_manager
ciscocisco_evolved_programmable_network_manager
ciscocisco_evolved_programmable_network_manager
ciscocisco_evolved_programmable_network_manager
ciscocisco_evolved_programmable_network_manager
ciscocisco_evolved_programmable_network_manager
ciscocisco_evolved_programmable_network_manager
ciscocisco_evolved_programmable_network_manager
ciscocisco_evolved_programmable_network_manager
ciscocisco_evolved_programmable_network_manager
ciscocisco_evolved_programmable_network_manager
ciscocisco_evolved_programmable_network_manager
ciscoevolved_programmable_network_manager<= 8.0.0
ciscoevolved_programmable_network_manager

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit targets a specific API endpoint via a crafted file upload request to the web-based management interface of Cisco EPNM; monitor for anomalous multipart/file upload HTTP requests to EPNM API endpoints from authenticated sessions with Config Manager-level credentials.
  • Exploitation requires at least Config Manager credentials; alert on privilege-level Config Manager accounts performing file upload operations, especially uploading unexpected file types.
  • Track Cisco bug ID CSCwn55548 for vendor patch and additional technical details that may surface specific endpoint paths or file type indicators.
  • ·No workarounds are available for this vulnerability; the only remediation is applying the vendor-released software update.
  • ·The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type); detection logic should focus on file type/extension validation bypass patterns at EPNM upload endpoints.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_cisco4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.