Strix
26.1K

CVE-2025-20272

MEDIUMCVSS 4.3/10EPSS 0.29%

Last modified

CVE-2025-20272 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. A vulnerability in a subset of REST APIs of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, low-privileged, remote attacker to conduct a blind SQL injection attack. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to an affected API. EPSS estimates a 0.29% chance of exploitation in the next 30 days.

Description

A vulnerability in a subset of REST APIs of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, low-privileged, remote attacker to conduct a blind SQL injection attack. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to an affected API. A successful exploit could allow the attacker to view data in some database tables on an affected device.

Metrics

CVSS 3.1
4.3/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Probability
0.29%

20.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
CiscoPrime Infrastructure2.0.0
CiscoPrime Infrastructure2.0.10
CiscoPrime Infrastructure2.0.39
CiscoPrime Infrastructure2.1
CiscoPrime Infrastructure2.1.0
CiscoPrime Infrastructure2.1.1
CiscoPrime Infrastructure2.1.2
CiscoPrime Infrastructure2.1.56
CiscoPrime Infrastructure2.2
CiscoPrime Infrastructure2.2.0
CiscoPrime Infrastructure2.2.1
CiscoPrime Infrastructure2.2.2
CiscoPrime Infrastructure2.2.3
CiscoPrime Infrastructure2.2.4
CiscoPrime Infrastructure2.2.5
CiscoPrime Infrastructure2.2.7
CiscoPrime Infrastructure2.2.8
CiscoPrime Infrastructure2.2.9
CiscoPrime Infrastructure2.2.10
CiscoPrime Infrastructure3.0.0
CiscoPrime Infrastructure3.0.1
CiscoPrime Infrastructure3.0.2
CiscoPrime Infrastructure3.0.3
CiscoPrime Infrastructure3.0.4
CiscoPrime Infrastructure3.0.5
CiscoPrime Infrastructure3.0.6
CiscoPrime Infrastructure3.0.7
CiscoPrime Infrastructure3.1Device Pack10
CiscoPrime Infrastructure3.1.0
CiscoPrime Infrastructure3.1.1
CiscoPrime Infrastructure3.1.2
CiscoPrime Infrastructure3.1.3
CiscoPrime Infrastructure3.1.4
CiscoPrime Infrastructure3.1.5
CiscoPrime Infrastructure3.1.6
CiscoPrime Infrastructure3.1.7
CiscoPrime Infrastructure3.2
CiscoPrime Infrastructure3.2.0-fips
CiscoPrime Infrastructure3.2.1
CiscoPrime Infrastructure3.2.2
CiscoPrime Infrastructure3.3Device Pack1
CiscoPrime Infrastructure3.3.0
CiscoPrime Infrastructure3.3.1
CiscoPrime Infrastructure3.4Device Pack1
CiscoPrime Infrastructure3.4.0
CiscoPrime Infrastructure3.4.1
CiscoPrime Infrastructure3.4.2
CiscoPrime Infrastructure3.5Device Pack1
CiscoPrime Infrastructure3.5.0
CiscoPrime Infrastructure3.5.1

Showing 50 of 179 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2025-20272?
A vulnerability in a subset of REST APIs of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, low-privileged, remote attacker to conduct a blind SQL injection attack. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to an affected API. A successful exploit could allow the attacker to view data in some database tables on an affected device.
How severe is CVE-2025-20272?
CVE-2025-20272 has a CVSS score of 4.3/10 (MEDIUM severity). The EPSS model estimates a 0.29% probability of exploitation in the next 30 days.
How do I fix CVE-2025-20272?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-20272?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST