Cisco Prime Infrastructure
CVE-2025-20272
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-reachable REST API requires low-privilege auth; blind read-only SQLi yields limited confidentiality impact with no integrity or availability effect.
Primary rating from Vendor (cisco).
CVSS VectorVendor: cisco
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability in a subset of REST APIs of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, low-privileged, remote attacker to conduct a blind SQL injection attack.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to an affected API. A successful exploit could allow the attacker to view data in some database tables on an affected device.
AnalysisAI
Blind SQL injection in Cisco Prime Infrastructure and Evolved Programmable Network Manager (EPNM) REST APIs permits authenticated low-privileged remote attackers to extract data from database tables on the affected device. The vulnerability stems from insufficient validation of user-supplied input passed to the affected API endpoints, enabling an attacker to infer database contents through crafted boolean-based or time-based blind injection requests. No public exploit code has been identified and this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog at time of analysis.
Technical ContextAI
Cisco Prime Infrastructure and EPNM are enterprise-grade network management and orchestration platforms commonly deployed in large enterprise and service-provider environments. The affected attack surface is a subset of the platforms' REST APIs, which fail to adequately sanitize user-controlled input before incorporating it into SQL queries - the classic root cause described by CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Because the injection is blind, the attacker cannot read query results directly; instead, database content must be inferred through boolean or time-delay side-channels. Affected products per CPE include Cisco Prime Infrastructure broadly (with 3.10.6 base and 3.10.6:security_update_01 explicitly enumerated as vulnerable) and Cisco EPNM broadly (with 8.1.0 explicitly enumerated). The CVSS vector (AV:N/AC:L/PR:L) confirms the APIs are reachable over the network and require only a low-privilege account.
RemediationAI
The primary remediation is to apply the vendor-released patch per Cisco Security Advisory cisco-sa-piepnm-bsi-25JJqsbb, available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-piepnm-bsi-25JJqsbb. Specific fixed versions are not confirmed in the data available for this analysis and must be verified directly from the advisory before patching. Notably, Cisco Prime Infrastructure 3.10.6 Security Update 01 does NOT remediate this vulnerability, as it remains listed as an affected version in CPE data; administrators who have applied that update must still apply the subsequent fix. As a compensating control where patching is not immediately possible, restrict access to the Prime Infrastructure and EPNM REST APIs to trusted administrative network segments using perimeter firewall rules or ACLs - this raises the effective privilege bar for exploitation by preventing untrusted low-privilege users from reaching the API layer. Additionally, audit low-privilege user accounts on both platforms and remove any unnecessary accounts to reduce the attacker pool. These controls do not eliminate the vulnerability but meaningfully reduce exploitability.
More in Prime Infrastructure
View allA vulnerability in the web-based management interface of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable
A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions
The API in Cisco Prime Infrastructure 1.2 through 3.0 and Evolved Programmable Network Manager (EPNM) 1.2 allows remote
Cisco Prime Infrastructure 1.2.0 through 2.2(2) and Cisco Evolved Programmable Network Manager (EPNM) 1.2 allow remote a
A vulnerability in the REST API of Cisco Prime Infrastructure (PI) and Cisco Evolved Programmable Network Manager (EPNM)
A vulnerability in the Cisco Prime File Upload servlet affecting multiple Cisco products could allow a remote attacker t
A vulnerability in the Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL database interface could
Cisco Prime Infrastructure 1.2 and 1.3 before 1.3.0.20-2, 1.4 before 1.4.0.45-2, and 2.0 before 2.0.0.0.294-2 allows rem
The administrative web interface in Cisco Prime Infrastructure (PI) before 3.1.1 allows remote authenticated users to ex
Cisco Prime Infrastructure 3.0 allows remote authenticated users to execute arbitrary code via a crafted HTTP request th
Cisco Prime Infrastructure 1.2 through 3.1 and Evolved Programmable Network Manager (EPNM) 1.2 and 2.0 allow remote auth
The API web interface in Cisco Prime Infrastructure before 3.1 and Cisco Evolved Programmable Network Manager before 1.2
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today