Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure Information Disclosure Vulnerability
TL;DR 📌
A medium-severity information disclosure vulnerability has been identified in Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure. This flaw allows authenticated, low-privileged users to access sensitive configuration information. Software updates are available to mitigate this risk, but there are no workarounds.
What happened 🕵️♂️
A vulnerability exists in the web-based management interface of Cisco EPNM and Cisco Prime Infrastructure. This issue arises from improper validation of requests to API endpoints. An authenticated attacker with low privileges could exploit this vulnerability to view sensitive configuration information that should be restricted.
Affected products 🖥️
- Cisco Evolved Programmable Network Manager (EPNM) versions 7.1 and earlier, 8.0, and 8.1
- Cisco Prime Infrastructure versions 3.9 and earlier, 3.10
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 7.1 and earlier | Migrate to a fixed release. | |
| 8.0 | 8.0.1 | |
| 8.1 | 8.1.2 | |
| 3.9 and earlier | Migrate to a fixed release. | |
| 3.10 | 3.10.6 Security Update 02 | |
| 1.0 | Initial public release. | |
| Cisco EPNM | 8.0.1 | 7.1 and earlier |
| Cisco EPNM | 8.1.2 | 8.1 |
| Cisco Prime Infrastructure | 3.10.6 Security Update 02 | 3.9 and earlier |
Workarounds 🧯
There are no workarounds that address this vulnerability.
Risk in context 🎯
The highest CVSS score for this vulnerability is 4.3, categorized as Medium. While the risk of exploitation is limited to authenticated users, the potential for unauthorized access to sensitive information remains a concern.
Fast facts ⚡
- CVE Identifier: CVE-2025-20270
- Severity: Medium
- Exploitation: Requires low-privileged user access
- No known public exploitation or announcements
For leadership 🧭
This vulnerability poses a Medium risk to our organization, as it allows authenticated users to access sensitive configuration data. The exposure is limited to users with low privileges and does not impact availability. Immediate remediation is advised by patching within 7 days to mitigate the risk. The operational impact is minimal, requiring only a brief maintenance window with no expected configuration drift.
Now: Review and prioritize patching for affected systems.
Next: Ensure all relevant teams are informed and prepared for the upcoming maintenance.
Later: Monitor for any updates from Cisco regarding further vulnerabilities or patches.