Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

cisco

Source -

CNANVDADP

BOS Name -

Cisco Systems, Inc.

CNA CVEs -

2

ADP CVEs -

182

CISA CVEs -

0

NVD CVEs -

6482
Related CVEsRelated ProductsRelated AssignersReports
6513Vulnerabilities found
CVE-2025-20153
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.04% / 12.29%
||
7 Day CHG~0.00%
Published-19 Feb, 2025 | 16:06
Updated-31 Jul, 2025 | 12:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco ESA mail Bypass

A vulnerability in the email filtering mechanism of Cisco Secure Email Gateway could allow an unauthenticated, remote attacker to bypass the configured rules and allow emails that should have been denied to flow through an affected device.   This vulnerability is due to improper handling of email that passes through an affected device. An attacker could exploit this vulnerability by sending a crafted email through the affected device. A successful exploit could allow the attacker to bypass email filters on the affected device.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-secure_email_gatewayCisco Secure Email
CWE ID-CWE-284
Improper Access Control
CVE-2020-3432
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.6||MEDIUM
EPSS-0.04% / 12.51%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 23:56
Updated-24 Jun, 2025 | 00:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco AnyConnect Secure Mobility Client for Mac OS File Corruption Vulnerability

A vulnerability in the uninstaller component of Cisco AnyConnect Secure Mobility Client for Mac OS could allow an authenticated, local attacker to corrupt the content of any file in the filesystem. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a symbolic link (symlink) to a target file on a specific path. A successful exploit could allow the attacker to corrupt the contents of the file. If the file is a critical systems file, the exploit could lead to a denial of service condition. To exploit this vulnerability, the attacker would need to have valid credentials on the system.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-anyconnect_secure_mobility_clientCisco Secure Client
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE-2025-20169
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-7.7||HIGH
EPSS-0.18% / 40.42%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:40
Updated-03 Jul, 2025 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.  This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ios_xeiosCisco IOS XE SoftwareIOS
CWE ID-CWE-805
Buffer Access with Incorrect Length Value
CVE-2025-20175
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-7.7||HIGH
EPSS-0.18% / 40.42%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:39
Updated-03 Jul, 2025 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.  This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ios_xeiosCisco IOS XE SoftwareIOS
CWE ID-CWE-805
Buffer Access with Incorrect Length Value
CVE-2025-20174
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-7.7||HIGH
EPSS-0.18% / 40.42%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:39
Updated-03 Jul, 2025 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.  This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ios_xeiosCisco IOS XE SoftwareIOS
CWE ID-CWE-805
Buffer Access with Incorrect Length Value
CVE-2025-20170
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-7.7||HIGH
EPSS-0.18% / 40.42%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:39
Updated-03 Jul, 2025 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.  This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ios_xeiosCisco IOS XE SoftwareIOS
CWE ID-CWE-805
Buffer Access with Incorrect Length Value
CVE-2025-20171
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-7.7||HIGH
EPSS-0.08% / 23.39%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:38
Updated-03 Jul, 2025 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.  This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ios_xeiosIOSCisco IOS XE Software
CWE ID-CWE-248
Uncaught Exception
CVE-2025-20176
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-7.7||HIGH
EPSS-0.08% / 23.39%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:38
Updated-03 Jul, 2025 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.  This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ios_xeiosCisco IOS XE SoftwareIOS
CWE ID-CWE-248
Uncaught Exception
CVE-2025-20172
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-7.7||HIGH
EPSS-0.08% / 23.39%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:37
Updated-03 Jul, 2025 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the SNMP subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. For Cisco IOS and IOS XE Software, a successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. For Cisco IOS XR Software, a successful exploit could allow the attacker to cause the SNMP process to restart, resulting in an interrupted SNMP response from an affected device. Devices that are running Cisco IOS XR Software will not reload.  This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ios_xeios_xriosIOSCisco IOS XE SoftwareCisco IOS XR Software
CWE ID-CWE-248
Uncaught Exception
CVE-2025-20173
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-7.7||HIGH
EPSS-0.08% / 23.39%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:35
Updated-03 Jul, 2025 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device. This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.  This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ios_xeiosIOSCisco IOS XE Software
CWE ID-CWE-248
Uncaught Exception
CVE-2025-20205
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 12.61%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:14
Updated-28 Mar, 2025 | 13:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.  This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-identity_services_engineCisco Identity Services Engine Software
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-20204
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 12.61%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:14
Updated-28 Mar, 2025 | 13:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.  This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-identity_services_engineCisco Identity Services Engine Software
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-20185
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-3.4||LOW
EPSS-0.02% / 2.86%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:14
Updated-06 Aug, 2025 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Secure Email and Web Manager, Secure Email Gateway, and Secure Web Appliance Privilege Escalation Vulnerability

A vulnerability in the implementation of the remote access functionality of Cisco AsyncOS Software for Cisco Secure Email and Web Manager, Cisco Secure Email Gateway, and Cisco Secure Web Appliance could allow an authenticated, local attacker to elevate privileges to root. The attacker must authenticate with valid administrator credentials. This vulnerability is due to an architectural flaw in the password generation algorithm for the remote access functionality. An attacker could exploit this vulnerability by generating a temporary password for the service account. A successful exploit could allow the attacker to execute arbitrary commands as root and access the underlying operating system. Note: The Security Impact Rating (SIR) for this vulnerability is Medium due to the unrestricted scope of information that is accessible to an attacker.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-secure_email_and_web_manager_virtual_appliance_m300vsecure_email_and_web_manager_m390secure_email_and_web_manager_m690secure_email_and_web_manager_virtual_appliance_m600vsecure_email_and_web_manager_m190secure_email_and_web_manager_m390xsecure_email_and_web_manager_m690xsecure_email_and_web_manager_m170secure_email_and_web_manager_m395secure_email_and_web_manager_m680secure_email_and_web_manager_m195asyncossecure_email_and_web_manager_virtual_appliance_m100vsecure_email_and_web_manager_m380secure_email_and_web_manager_m695Cisco Secure EmailCisco Secure Web ApplianceCisco Secure Email and Web Manager
CWE ID-CWE-250
Execution with Unnecessary Privileges
CVE-2025-20184
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 32.91%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:14
Updated-08 Aug, 2025 | 17:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Secure Email and Web Manager and Secure Web Appliance Command Injection Vulnerability

A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Web Appliance could allow an authenticated, remote attacker to perform command injection attacks against an affected device. The attacker must authenticate with valid administrator credentials. This vulnerability is due to insufficient validation of XML configuration files by an affected device. An attacker could exploit this vulnerability by uploading a crafted XML configuration file. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-secure_web_appliance_virtual_s1000vsecure_email_gateway_virtual_appliance_c300vsecure_email_gateway_virtual_appliance_c600vsecure_email_gateway_c395secure_web_appliance_s396secure_web_appliance_virtual_s100vsecure_web_appliance_virtual_s300vsecure_email_gateway_c695secure_email_gateway_c195secure_web_appliance_s196secure_web_appliance_virtual_s600vsecure_web_appliance_s696asyncossecure_email_gateway_virtual_appliance_c100vCisco Secure EmailCisco Secure Web Appliance
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2025-20183
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.09% / 26.83%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:14
Updated-05 Aug, 2025 | 19:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Secure Web Appliance Range Request Bypass Vulnerability

A vulnerability in a policy-based Cisco Application Visibility and Control (AVC) implementation of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to evade the antivirus scanner and download a malicious file onto an endpoint.  The vulnerability is due to improper handling of a crafted range request header. An attacker could exploit this vulnerability by sending an HTTP request with a crafted range request header through the affected device. A successful exploit could allow the attacker to evade the antivirus scanner and download malware onto the endpoint without detection by Cisco Secure Web Appliance.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-secure_web_appliance_s196secure_web_appliance_virtual_s300vsecure_web_appliance_virtual_s600vsecure_web_appliance_s696asyncossecure_web_appliance_s396secure_web_appliance_virtual_s100vsecure_web_appliance_virtual_s1000vCisco Secure Web Appliance
CWE ID-CWE-20
Improper Input Validation
CVE-2025-20180
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 12.61%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:14
Updated-15 Aug, 2025 | 20:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Secure Email and Web Manager and Secure Email Gateway Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager and Secure Email Gateway could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Operator.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-secure_email_and_web_manager_m395secure_email_gateway_virtual_appliance_c100vsecure_email_gateway_virtual_appliance_c300vsecure_email_and_web_manager_m380secure_email_gateway_virtual_appliance_c600vsecure_email_and_web_manager_m170secure_email_and_web_manager_m390xsecure_email_and_web_manager_m690xsecure_email_and_web_manager_m690secure_email_and_web_manager_virtual_appliance_m300vsecure_email_gateway_c395secure_email_and_web_manager_virtual_appliance_m600vsecure_email_and_web_manager_virtual_appliance_m100vsecure_email_and_web_manager_m695secure_email_and_web_manager_m195secure_email_and_web_manager_m680secure_email_and_web_manager_m390secure_email_gateway_c195secure_email_and_web_manager_m190secure_email_gateway_c695asyncosCisco Secure EmailCisco Secure Email and Web Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-20125
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.18% / 39.44%
||
7 Day CHG+0.03%
Published-05 Feb, 2025 | 16:12
Updated-28 Mar, 2025 | 13:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Identity Services Engine Insufficient Authorization Bypass Vulnerability

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. This vulnerability is due to a lack of authorization in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to attacker to obtain information, modify system configuration, and reload the device. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-identity_services_engineCisco ISE Passive Identity ConnectorCisco Identity Services Engine Software
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2025-20124
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-9.9||CRITICAL
EPSS-0.47% / 63.58%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 16:12
Updated-28 Mar, 2025 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Identity Services Engine Java Deserialization Vulnerability

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-identity_services_engineCisco ISE Passive Identity ConnectorCisco Identity Services Engine Software
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-20165
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-0.27% / 50.40%
||
7 Day CHG~0.00%
Published-22 Jan, 2025 | 16:21
Updated-06 Aug, 2025 | 20:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco BroadWorks SIP Denial of Service Vulnerability

A vulnerability in the SIP processing subsystem of Cisco BroadWorks could allow an unauthenticated, remote attacker to halt the processing of incoming SIP requests, resulting in a denial of service (DoS) condition. This vulnerability is due to improper memory handling for certain SIP requests. An attacker could exploit this vulnerability by sending a high number of SIP requests to an affected system. A successful exploit could allow the attacker to exhaust the memory that was allocated to the Cisco BroadWorks Network Servers that handle SIP traffic. If no memory is available, the Network Servers can no longer process incoming requests, resulting in a DoS condition that requires manual intervention to recover.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-broadworks_network_serverCisco BroadWorks
CWE ID-CWE-789
Memory Allocation with Excessive Size Value
CVE-2025-20156
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-9.9||CRITICAL
EPSS-0.19% / 40.95%
||
7 Day CHG~0.00%
Published-22 Jan, 2025 | 16:21
Updated-01 Aug, 2025 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Meeting Management Client-Server Privilege Escalation Vulnerability

A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. This vulnerability exists because proper authorization is not enforced upon REST API users. An attacker could exploit this vulnerability by sending API requests to a specific endpoint. A successful exploit could allow the attacker to gain administrator-level control over edge nodes that are managed by Cisco Meeting Management.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-meeting_managementCisco Meeting Management
CWE ID-CWE-274
Improper Handling of Insufficient Privileges
CVE-2025-20128
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-1.69% / 81.48%
||
7 Day CHG~0.00%
Published-22 Jan, 2025 | 16:21
Updated-06 Aug, 2025 | 14:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ClamAV OLE2 File Format Decryption Denial of Service Vulnerability

A vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer underflow in a bounds check that allows for a heap buffer overflow read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to terminate the ClamAV scanning process, resulting in a DoS condition on the affected software. For a description of this vulnerability, see the . Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-ClamAVCisco Systems, Inc.
Product-secure_endpoint_private_cloudsecure_endpointclamavCisco Secure Endpoint
CWE ID-CWE-122
Heap-based Buffer Overflow
CVE-2025-20168
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 9.45%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 16:19
Updated-23 Jul, 2025 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Common Services Platform Collector Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have at least a low-privileged account on an affected device. Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-common_services_platform_collectorcrosswork_network_controllerCisco Common Services Platform Collector Software
CWE ID-CWE-86
Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CVE-2025-20167
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 9.45%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 16:19
Updated-23 Jul, 2025 | 16:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Common Services Platform Collector Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have at least a low-privileged account on an affected device. Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-common_services_platform_collectorcrosswork_network_controllerCisco Common Services Platform Collector Software
CWE ID-CWE-86
Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CVE-2025-20166
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.04% / 9.45%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 16:19
Updated-23 Jul, 2025 | 15:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Common Services Platform Collector Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have at least a low-privileged account on an affected device. Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-common_services_platform_collectorcrosswork_network_controllerCisco Common Services Platform Collector Software
CWE ID-CWE-86
Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CVE-2025-20126
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.02% / 3.67%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 16:09
Updated-22 Jul, 2025 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco ThousandEyes Endpoint Agent Certificate Validation Vulnerability

A vulnerability in certification validation routines of Cisco ThousandEyes Endpoint Agent for macOS and RoomOS could allow an unauthenticated, remote attacker to intercept or manipulate metrics information. This vulnerability exists because the affected software does not properly validate certificates for hosted metrics services. An on-path attacker could exploit this vulnerability by intercepting network traffic using a crafted certificate. A successful exploit could allow the attacker to masquerade as a trusted host and monitor or change communications between the remote metrics service and the vulnerable client.

Action-Not Available
Vendor-Apple Inc.Cisco Systems, Inc.
Product-roomosthousandeyes_endpoint_agentmacosCisco ThousandEyes Endpoint Agent
CWE ID-CWE-295
Improper Certificate Validation
CVE-2025-20123
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.04% / 11.94%
||
7 Day CHG~0.00%
Published-08 Jan, 2025 | 16:09
Updated-23 Jul, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Crosswork Network Controller Stored Cross-Site Scripting Vulnerability

Multiple vulnerabilities in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users of the interface of an affected system. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by inserting malicious data into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-crosswork_network_controllerCisco Crosswork Network Change Automation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-26066
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 15.63%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 16:23
Updated-04 Aug, 2025 | 14:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco SD-WAN vManage Software XML External Entity Vulnerability

A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_sd-wan_managerCisco Catalyst SD-WAN Managercatalyst_sd-wan_manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2020-26067
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.4||MEDIUM
EPSS-8.87% / 92.20%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 16:10
Updated-01 Aug, 2025 | 20:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Webex Teams Web Interface Cross-Site Scripting Vulnerability

A vulnerability in the web-based interface of Cisco Webex Teams could allow an authenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to improper validation of usernames. An attacker could exploit this vulnerability by creating an account that contains malicious HTML or script content and joining a space using the malicious account name. A successful exploit could allow the attacker to conduct cross-site scripting attacks and potentially gain access to sensitive browser-based information.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-webex_teamsCisco Webex Teams
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2020-26062
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 37.57%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 16:06
Updated-06 Aug, 2025 | 13:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Integrated Management Controller Username Enumeration Vulnerability

A vulnerability in Cisco Integrated Management Controller could allow an unauthenticated, remote attacker to enumerate valid usernames within the vulnerable application. The vulnerability is due to differences in authentication responses sent back from the application as part of an authentication attempt. An attacker could exploit this vulnerability by sending authentication requests to the affected application. A successful exploit could allow the attacker to confirm the names of administrative user accounts for use in further attacks.There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-unified_computing_systemCisco Unified Computing System (Managed)unified_computing_system
CWE ID-CWE-203
Observable Discrepancy
CVE-2020-26063
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.08% / 24.02%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 16:05
Updated-18 Nov, 2024 | 19:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Integrated Management Controller Software Authorization Bypass Vulnerability

A vulnerability in the API endpoints of Cisco Integrated Management Controller could allow an authenticated, remote attacker to bypass authorization and take actions on a vulnerable system without authorization. The vulnerability is due to improper authorization checks on API endpoints. An attacker could exploit this vulnerability by sending malicious requests to an API endpoint. An exploit could allow the attacker to download files from or modify limited configuration options on the affected system.There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-Cisco Unified Computing System (Managed)unified_computing_system
CWE ID-CWE-269
Improper Privilege Management
CVE-2020-26071
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-8.4||HIGH
EPSS-0.04% / 10.15%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 16:05
Updated-04 Aug, 2025 | 14:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco SD-WAN vEdge Arbitrary File Creation Vulnerability

A vulnerability in the CLI of Cisco SD-WAN Software could allow an authenticated, local attacker to create or overwrite arbitrary files on an affected device, which could result in a denial of service (DoS) condition. The vulnerability is due to insufficient input validation for specific commands. An attacker could exploit this vulnerability by including crafted arguments to those specific commands. A successful exploit could allow the attacker to create or overwrite arbitrary files on the affected device, which could result in a DoS condition.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_sd-wan_managerCisco SD-WAN vEdge RouterCisco Catalyst SD-WAN ManagerCisco SD-WAN vEdge CloudCisco SD-WAN vContainer
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-27124
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-8.6||HIGH
EPSS-0.27% / 49.85%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 16:03
Updated-01 Aug, 2025 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Adaptive Security Appliance Software SSL/TLS Denial of Service Vulnerability

A vulnerability in the SSL/TLS handler of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause the affected device to reload unexpectedly, leading to a denial of service (DoS) condition. The vulnerability is due to improper error handling on established SSL/TLS connections. An attacker could exploit this vulnerability by establishing an SSL/TLS connection with the affected device and then sending a malicious SSL/TLS message within that connection. A successful exploit could allow the attacker to cause the device to reload.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-adaptive_security_appliance_softwareCisco Adaptive Security Appliance (ASA) Softwareadaptive_security_appliance
CWE ID-CWE-457
Use of Uninitialized Variable
CVE-2020-3420
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.05% / 15.66%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 16:02
Updated-06 Aug, 2025 | 13:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Unified Communications Manager Stored Cross-Site Scripting Vulnerability

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information.There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-unified_communications_managerCisco Unified Communications Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-26073
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-7.5||HIGH
EPSS-89.72% / 99.54%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:57
Updated-04 Aug, 2025 | 14:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco SD-WAN vManage Directory Traversal Vulnerability

A vulnerability in the application data endpoints of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within requests to application programmatic interfaces (APIs). An attacker could exploit this vulnerability by sending malicious requests to an API within the affected application. A successful exploit could allow the attacker to conduct directory traversal attacks and gain access to sensitive information including credentials or user tokens.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_sd-wan_managerCisco Catalyst SD-WAN Managercatalyst_sd-wan_manager
CWE ID-CWE-35
Path Traversal: '.../...//'
CVE-2020-26074
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-7.8||HIGH
EPSS-0.05% / 13.69%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:56
Updated-04 Aug, 2025 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco SD-WAN vManage Privilege Escalation Vulnerability

A vulnerability in system file transfer functions of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to gain escalated privileges on the underlying operating system. The vulnerability is due to improper validation of path input to the system file transfer functions. An attacker could exploit this vulnerability by sending requests that contain specially crafted path variables to the vulnerable system. A successful exploit could allow the attacker to overwrite arbitrary files, allowing the attacker to modify the system in such a way that could allow the attacker to gain escalated privileges.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_sd-wan_managerCisco Catalyst SD-WAN Managercatalyst_sd-wan_manager
CWE ID-CWE-250
Execution with Unnecessary Privileges
CVE-2020-3538
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.05% / 13.63%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:53
Updated-06 Aug, 2025 | 14:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Data Center Network Manager Path Traversal Vulnerability

A vulnerability in a certain REST API endpoint of Cisco Data Center Network Manager (DCNM) Software could allow an authenticated, remote attacker to perform a path traversal attack on an affected device. The vulnerability is due to insufficient path restriction enforcement. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to overwrite or list arbitrary files on the affected device.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-data_center_network_managerCisco Data Center Network Manager
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-3539
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.18% / 39.70%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:53
Updated-31 Jul, 2025 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Data Center Network Manager Authorization Bypass Vulnerability

A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to view, modify, and delete data without proper authorization. The vulnerability is due to a failure to limit access to resources that are intended for users with Administrator privileges. An attacker could exploit this vulnerability by convincing a user to click a malicious URL. A successful exploit could allow a low-privileged attacker to list, view, create, edit, and delete templates in the same manner as a user with Administrator privileges.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-prime_data_center_network_managerCisco Data Center Network Manager
CWE ID-CWE-285
Improper Authorization
CVE-2020-3548
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 38.09%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:53
Updated-31 Jul, 2025 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Email Security Appliance Denial Of Service Vulnerability

A vulnerability in the Transport Layer Security (TLS) protocol implementation of Cisco AsyncOS software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to cause high CPU usage on an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to inefficient processing of incoming TLS traffic. An attacker could exploit this vulnerability by sending a series of crafted TLS packets to an affected device. A successful exploit could allow the attacker to trigger a prolonged state of high CPU utilization. The affected device would still be operative, but response time and overall performance may be degraded.There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-email_security_applianceCisco Secure Emailsecure_email
CWE ID-CWE-407
Inefficient Algorithmic Complexity
CVE-2021-1234
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.09% / 25.93%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:45
Updated-04 Aug, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco SD-WAN vManage Information Disclosure Vulnerabilities

A vulnerability in the cluster management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system. To be affected by this vulnerability, the vManage software must be in cluster mode. This vulnerability is due to the absence of authentication for sensitive information in the cluster management interface. An attacker could exploit this vulnerability by sending a crafted request to the cluster management interface of an affected system. A successful exploit could allow the attacker to view sensitive information on the affected system.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_sd-wan_managerCisco Catalyst SD-WAN Managercatalyst_sd-wan_manager
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2021-1132
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.28% / 51.24%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:42
Updated-05 Aug, 2025 | 13:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Network Services Orchestrator Path Traversal Vulnerability

A vulnerability in the API subsystem and in the web-management interface of Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to access sensitive data. This vulnerability exists because the web-management interface and certain HTTP-based APIs do not properly validate user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-network_services_orchestratorCisco Network Services Orchestratornetwork_services_orchestrator
CWE ID-CWE-35
Path Traversal: '.../...//'
CVE-2021-1232
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 33.51%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:40
Updated-04 Aug, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco SD-WAN vManage Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to read arbitrary files on the underlying filesystem of an affected system. This vulnerability is due to insufficient access control for sensitive information that is written to an affected system. An attacker could exploit this vulnerability by accessing sensitive information that they are not authorized to access on an affected system. A successful exploit could allow the attacker to gain access to devices and other network management systems that they should not have access to.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_sd-wan_managerCisco Catalyst SD-WAN Manager
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2021-1410
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 23.00%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:38
Updated-05 Aug, 2025 | 13:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Webex Meetings Unauthorized Distribution List Update Vulnerability

A vulnerability in the distribution list feature of Cisco Webex Meetings could allow an authenticated, remote attacker to modify a distribution list that belongs to another user of their organization. The vulnerability is due to insufficient authorization enforcement for requests to update distribution lists. An attacker could exploit this vulnerability by sending a crafted request to the Webex Meetings interface to modify an existing distribution list. A successful exploit could allow the attacker to modify a distribution list that belongs to a user other than themselves.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-webex_meetingsCisco Webex Meetings
CWE ID-CWE-284
Improper Access Control
CVE-2021-1425
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 34.11%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:36
Updated-11 Aug, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Cisco Email Security Appliance and Content Security Management Appliance Information Disclosure Vulnerability

A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Content Security Management Appliance (SMA) could allow an authenticated, remote attacker to access sensitive information on an affected device. The vulnerability exists because confidential information is being included in HTTP requests that are exchanged between the user and the device. An attacker could exploit this vulnerability by looking at the raw HTTP requests that are sent to the interface. A successful exploit could allow the attacker to obtain some of the passwords that are configured throughout the interface.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-content_security_management_appliance_sma_m695content_security_management_appliance_sma_m190asyncoscontent_security_management_appliance_smav_m300vcontent_security_management_appliance_smav_m000vcontent_security_management_appliance_sma_m690content_security_management_appliance_sma_m395content_security_management_appliance_smav_m600vcontent_security_management_appliance_smav_m100vcontent_security_management_appliance_sma_m195Cisco Secure Email and Web Manager
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CVE-2021-1424
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 43.37%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:35
Updated-18 Nov, 2024 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco ASR 5000 Series Software (StarOS) ipsecmgr Process Denial of Service Vulnerability

A vulnerability in the ipsecmgr process of Cisco ASR 5000 Series Software (StarOS) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to insufficient validation of incoming Internet Key Exchange Version 2 (IKEv2) packets. An attacker could exploit this vulnerability by sending specifically malformed IKEv2 packets to an affected device. A successful exploit could allow the attacker to cause the ipsecmgr process to restart, which would disrupt ongoing IKE negotiations and result in a temporary DoS condition.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-Cisco ASR 5000 Series Softwareasr_5000_series_software
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2021-1440
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.28% / 50.78%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:34
Updated-01 Aug, 2025 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco IOS XR Software BGP Resource Public Key Infrastructure Denial of Service Vulnerability

A vulnerability in the implementation of the Resource Public Key Infrastructure (RPKI) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause the Border Gateway Protocol (BGP) process to crash, resulting in a denial of service (DoS) condition. This vulnerability is due to the incorrect handling of a specific RPKI to Router (RTR) Protocol packet header. An attacker could exploit this vulnerability by compromising the RPKI validator server and sending a specifically crafted RTR packet to an affected device. Alternatively, the attacker could use man-in-the-middle techniques to impersonate the RPKI validator server and send a specifically crafted RTR response packet over the established RTR TCP connection to the affected device. A successful exploit could allow the attacker to cause a DoS condition because the BGP process could constantly restart and BGP routing could become unstable.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.This advisory is part of the September 2021 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see .

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ios_xrCisco IOS XR Software
CWE ID-CWE-617
Reachable Assertion
CVE-2021-1462
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-4.4||MEDIUM
EPSS-0.02% / 4.27%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:30
Updated-04 Aug, 2025 | 14:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco SD-WAN vManage Software Privilege Escalation Vulnerability

A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to elevate privileges on an affected system. To exploit this vulnerability, an attacker would need to have a valid Administrator account on an affected system. The vulnerability is due to incorrect privilege assignment. An attacker could exploit this vulnerability by logging in to an affected system with an Administrator account and creating a malicious file, which the system would parse at a later time. A successful exploit could allow the attacker to obtain root privileges on the affected system.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_sd-wan_managerCisco Catalyst SD-WAN Manager
CWE ID-CWE-20
Improper Input Validation
CVE-2021-1465
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.91%
||
7 Day CHG~0.00%
Published-18 Nov, 2024 | 15:26
Updated-04 Aug, 2025 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct a directory traversal attack and obtain read access to sensitive files on an affected system. The vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request that contains directory traversal character sequences to an affected system. A successful exploit could allow the attacker to write arbitrary files on the affected system.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_sd-wan_managerCisco Catalyst SD-WAN Manager
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-1466
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 32.36%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 17:04
Updated-04 Aug, 2025 | 14:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco SD-WAN vDaemon Buffer Overflow Vulnerability

A vulnerability in the vDaemon service of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to cause a buffer overflow on an affected system, resulting in a denial of service (DoS) condition. The vulnerability is due to incomplete bounds checks for data that is provided to the vDaemon service of an affected system. An attacker could exploit this vulnerability by sending malicious data to the vDaemon listening service on the affected system. A successful exploit could allow the attacker to cause a buffer overflow condition on the affected system, which could allow the attacker to cause the vDaemon listening service to reload and result in a DoS condition.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_sd-wan_managerCisco Catalyst SD-WAN Manager
CWE ID-CWE-20
Improper Input Validation
CVE-2021-1481
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.10%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 16:37
Updated-04 Aug, 2025 | 14:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco SD-WAN vManage Cypher Query Language Injection Vulnerability

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct Cypher query language injection attacks on an affected system. This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to the interface of an affected system. A successful exploit could allow the attacker to obtain sensitive information.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_sd-wan_managerCisco Catalyst SD-WAN Manager
CWE ID-CWE-943
Improper Neutralization of Special Elements in Data Query Logic
CVE-2021-1482
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.06% / 19.90%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 16:36
Updated-04 Aug, 2025 | 14:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco SD-WAN vManage Authorization Bypass Vulnerability

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization checking and gain access to sensitive information on an affected system. This vulnerability is due to insufficient authorization checks. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to bypass authorization checking and gain access to sensitive information on the affected system.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_sd-wan_managerCisco Catalyst SD-WAN Manager
CWE ID-CWE-20
Improper Input Validation
CVE-2021-1464
Assigner-Cisco Systems, Inc.
ShareView Details
Assigner-Cisco Systems, Inc.
CVSS Score-5||MEDIUM
EPSS-0.25% / 47.96%
||
7 Day CHG~0.00%
Published-15 Nov, 2024 | 16:32
Updated-04 Aug, 2025 | 14:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco SD-WAN vManage Authorization Bypass Vulnerability

A vulnerability in Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization checking and gain restricted access to the configuration information of an affected system. This vulnerability exists because the affected software has insufficient input validation for certain commands. An attacker could exploit this vulnerability by sending crafted requests to the affected commands of an affected system. A successful exploit could allow the attacker to bypass authorization checking and gain restricted access to the configuration data of the affected system.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-catalyst_sd-wan_managerCisco Catalyst SD-WAN Manager
CWE ID-CWE-20
Improper Input Validation
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 130
  • 131
  • Next