CVE-2025-20270

Summary

A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to obtain sensitive information from an affected system.

This vulnerability is due to improper validation of requests to API endpoints. An attacker could exploit this vulnerability by sending a valid request to a specific API endpoint within the affected system. A successful exploit could allow a low-privileged user to view sensitive configuration information on the affected system that should be restricted. To exploit this vulnerability, an attacker must have access as a low-privileged user.  

Affected Software

VendorProductVersion RangeStatus
CiscoCisco Evolved Programmable Network Manager (EPNM)7.0.0affected
CiscoCisco Evolved Programmable Network Manager (EPNM)7.1.1affected
CiscoCisco Evolved Programmable Network Manager (EPNM)7.1.2.1affected
CiscoCisco Evolved Programmable Network Manager (EPNM)7.0.1.3affected
CiscoCisco Evolved Programmable Network Manager (EPNM)7.1.3affected
CiscoCisco Evolved Programmable Network Manager (EPNM)7.1.2affected
CiscoCisco Evolved Programmable Network Manager (EPNM)7.0.1.2affected
CiscoCisco Evolved Programmable Network Manager (EPNM)7.0.1.1affected
CiscoCisco Evolved Programmable Network Manager (EPNM)7.0.1affected
CiscoCisco Evolved Programmable Network Manager (EPNM)7.1.0affected
CiscoCisco Prime Infrastructure3.9.0affected
CiscoCisco Prime Infrastructure3.10.0affected
CiscoCisco Prime Infrastructure3.9.1affected
CiscoCisco Prime Infrastructure3.10.2affected
CiscoCisco Prime Infrastructure3.10.3affected
CiscoCisco Prime Infrastructure3.10affected
CiscoCisco Prime Infrastructure3.10.1affected
CiscoCisco Prime Infrastructure3.9.1 Update 01affected
CiscoCisco Prime Infrastructure3.9.1 Update 02affected
CiscoCisco Prime Infrastructure3.9.1 Update 03affected
CiscoCisco Prime Infrastructure3.9.1 Update 04affected
CiscoCisco Prime Infrastructure3.9.0 Update 01affected
CiscoCisco Prime Infrastructure3.10.4affected
CiscoCisco Prime Infrastructure3.10.4 Update 01affected
CiscoCisco Prime Infrastructure3.10.4 Update 02affected
CiscoCisco Prime Infrastructure3.10.4 Update 03affected
CiscoCisco Prime Infrastructure3.10.5affected
CiscoCisco Prime Infrastructure3.10.6affected
CiscoCisco Prime Infrastructure3.10.6 Update 01affected

Weaknesses

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References