Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure Sensitive Information Disclosure Vulnerability
TL;DR 📌
A medium-severity vulnerability has been identified in Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure, allowing authenticated low-privileged attackers to access sensitive files. No workarounds are available, and software updates are necessary to mitigate the risk.
What happened 🕵️♂️
A vulnerability exists in the web-based management interface of Cisco EPNM and Cisco Prime Infrastructure due to insufficient input validation for specific HTTP requests. An authenticated, low-privileged remote attacker could exploit this vulnerability to retrieve arbitrary files from the underlying file system of affected devices.
Affected products 🖥️
- Cisco Evolved Programmable Network Manager (EPNM) versions 7.1 and earlier, 8.0, and 8.1
- Cisco Prime Infrastructure versions 3.9 and earlier, 3.10
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 7.1 and earlier | Migrate to a fixed release. | |
| 8.0 | Migrate to a fixed release. | |
| 8.1 | 8.1.1 | |
| 3.9 and earlier | Migrate to a fixed release. | |
| 3.10 | 3.10.6 Security Update 02 | |
| 1.0 | Initial public release. | |
| Cisco EPNM | 8.1.1 | 7.1 and earlier, 8.0 |
| Cisco Prime Infrastructure | 3.10.6 Security Update 02 | 3.9 and earlier |
Workarounds 🧯
There are no workarounds that address this vulnerability.
Risk in context 🎯
This vulnerability has a CVSS score of 6.5, indicating a medium risk. While it requires authentication, the ability to access sensitive files poses a significant threat to data confidentiality. Organizations using the affected products should prioritize patching to mitigate potential exploitation.
Fast facts ⚡
- Vulnerability ID: CVE-2025-20269
- Severity: Medium (CVSS 6.5)
- Exploitation: Requires authenticated access
- Workarounds: None available
For leadership 🧭
This vulnerability presents a Medium risk due to its CVSS score of 6.5. It requires authenticated access, which limits exposure but still allows for potential sensitive data breaches. Immediate remediation is necessary, with a recommendation to patch within 7 days since fixes are available. The operational impact is expected to be minimal, involving a brief maintenance window with no anticipated configuration drift.
Now: Review and prioritize patching for affected systems.
Next: Schedule updates to the fixed software versions.
Later: Monitor for any potential exploitation attempts or related security advisories.