How to fix CVE-2025-20361?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Is Cisco affected by CVE-2025-20361?

CVE-2025-20361 presents moderate security risk, a cross-site scripting vulnerability rated CVSS 4.8. Attackers could inject scripts to steal sessions or perform actions as authenticated users. Organizations should apply vendor updates when available and monitor for exploitation.

CVE-2025-20361

EUVD-2025-32720 MEDIUM

2025-10-01 [email protected]

4.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 13, 2026 - 18:18 euvd

EUVD-2025-32720

Analysis Generated

Mar 13, 2026 - 18:18 vuln.today

CVE Published

Oct 01, 2025 - 17:15 nvd

MEDIUM 4.8

Description

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.

Analysis

This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.

Technical Context

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

Remediation

Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +24

POC: 0

CVE-2025-20361 vulnerability details – vuln.today

Back

CVE-2025-20361

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Share

CVE-2025-20361

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Share

External POC / Exploit Code