Skip to main content

SSH CVE-2025-20261

| EUVDEUVD-2025-16890 HIGH
Improper Restriction of Communication Channel to Intended Endpoints (CWE-923)
2025-06-04 psirt@cisco.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 17:29 euvd
EUVD-2025-16890
Analysis Generated
Mar 14, 2026 - 17:29 vuln.today
CVE Published
Jun 04, 2025 - 17:15 nvd
HIGH 8.8

DescriptionCVE.org

A vulnerability in the SSH connection handling of Cisco Integrated Management Controller (IMC) for Cisco UCS B-Series, UCS C-Series, UCS S-Series, and UCS X-Series Servers could allow an authenticated, remote attacker to access internal services with elevated privileges.

This vulnerability is due to insufficient restrictions on access to internal services. An attacker with a valid user account could exploit this vulnerability by using crafted syntax when connecting to the Cisco IMC of an affected device through SSH. A successful exploit could allow the attacker to access internal services with elevated privileges, which may allow unauthorized modifications to the system, including the possibility of creating new administrator accounts on the affected device.

AnalysisAI

Critical authentication bypass vulnerability in Cisco Integrated Management Controller (IMC) across multiple UCS server platforms that allows authenticated remote attackers to escalate privileges and access internal services with elevated permissions via crafted SSH syntax. The vulnerability affects UCS B-Series, C-Series, S-Series, and X-Series servers, enabling attackers to create administrator accounts and modify system configurations. With a CVSS score of 8.8 and low attack complexity requiring only valid credentials, this vulnerability poses significant risk to data center infrastructure and should be prioritized for patching.

Technical ContextAI

This vulnerability resides in the SSH connection handling mechanism of Cisco IMC, which is the baseboard management controller (BMC) firmware responsible for out-of-band server management. The root cause is classified as CWE-923 (Improper Restriction of Communication Channel to Intended Endpoints), indicating that the SSH service fails to properly validate or restrict access to internal management services based on user roles and privileges. The IMC exposes privileged internal services through SSH that should be access-controlled, but insufficient validation of SSH connection parameters and user context allows authenticated users to bypass these restrictions through crafted syntax. This affects CPE entries for Cisco UCS platforms: cisco:ucs_b-series, cisco:ucs_c-series, cisco:ucs_s-series, and cisco:ucs_x-series across multiple firmware versions, where the BMC/IMC firmware is the vulnerable component.

RemediationAI

Immediate actions: (1) Apply Cisco-released firmware patch to affected IMC/CIMC versions - consult Cisco Security Advisory CVE-2025-20261 for specific patch versions by platform; (2) If patching cannot be immediately deployed, implement network-level controls: restrict SSH access to IMC to trusted administrative networks only, disable remote IMC access if not required, implement host-based firewall rules limiting IMC connectivity; (3) Audit IMC user accounts for unauthorized administrator accounts created post-compromise; (4) Review IMC audit logs for suspicious SSH connection attempts with anomalous syntax patterns; (5) Enforce strong password policies and multi-factor authentication on IMC accounts if supported by firmware version; (6) Consider disabling IMC remote access entirely and using only console/local access during remediation window. Patch availability expected from Cisco within standard advisory timeline - monitor Cisco Security Center for release notification.

More in SSH

View all
CVE-2014-6271 CRITICAL POC
9.8 Sep 24

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which

CVE-2014-6278 HIGH POC
8.8 Sep 30

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2014-7169 CRITICAL POC
9.8 Sep 25

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of

CVE-2012-6066 CRITICAL POC
9.3 Dec 04

freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons

CVE-2014-6277 CRITICAL POC
10.0 Sep 27

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi

CVE-2023-25136 MEDIUM POC
6.5 Feb 03

OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se

CVE-2016-6210 MEDIUM POC
5.9 Feb 13

sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static

CVE-2015-5600 HIGH POC
8.1 Aug 03

The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin

CVE-2016-6515 HIGH POC
7.5 Aug 07

The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2012-5975 CRITICAL POC
9.3 Dec 04

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

Share

CVE-2025-20261 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy