Cisco
Monthly
Device reload in Cisco APIC's Object Model CLI component allows authenticated local users to trigger a denial of service through insufficient input validation on crafted commands. An attacker with valid credentials and CLI access can exploit this vulnerability to crash the affected device, though no patch is currently available. This vulnerability affects systems where attackers can obtain legitimate user credentials with appropriate role permissions.
Insufficient input validation in Cisco FXOS and UCS Manager web interfaces enables authenticated administrators to inject arbitrary commands and achieve root-level code execution on affected systems. The vulnerability requires local access and valid admin credentials, allowing privileged attackers to bypass normal OS restrictions. No patch is currently available, and the lack of input sanitization on command arguments represents a critical privilege escalation vector for insider threats.
web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software is affected by cross-site scripting (xss) (CVSS 4.8).
Cisco Nexus 3600 and 9500-R switches are vulnerable to Layer 2 traffic loops when processing maliciously crafted EVPN frames, allowing unauthenticated adjacent attackers to trigger a denial of service condition by overwhelming network bandwidth. An attacker can exploit this logic error in Layer 2 ingress packet processing by sending crafted Ethernet frames, causing VxLAN traffic loops that drop all data plane traffic. No patch is currently available for this vulnerability.
Improper SNMP request parsing in Cisco Nexus 9000 Series switches running ACI mode allows authenticated remote attackers to trigger kernel panics and device reloads by sending specially crafted queries to specific MIBs. An attacker with valid SNMP read-only community credentials can exploit this vulnerability across SNMP versions 1, 2c, and 3 to achieve denial of service. No patch is currently available for this vulnerability.
Cisco UCS Manager NX-OS CLI improperly grants excessive privileges to read-only users, allowing authenticated local attackers to modify files and execute privileged actions on affected systems. An attacker with read-only credentials can exploit this privilege escalation to create, overwrite files, or perform limited administrative operations. No patch is currently available.
Cisco UCS Manager's CLI and web management interfaces are vulnerable to OS command injection when authenticated administrators submit specially crafted input due to inadequate argument validation. An attacker with valid admin credentials can exploit this to execute arbitrary commands as root on the affected device. No patch is currently available for this vulnerability.
Cisco Nexus 9000 Series Fabric Switches in ACI mode contains a vulnerability that allows attackers to cause the device to reload unexpectedly, resulting in a DoS condition (CVSS 7.4).
Cisco NX-OS devices can be forced to reload through a crafted LLDP packet sent by an adjacent, unauthenticated attacker, causing a denial of service condition. The vulnerability stems from improper frame field validation in the LLDP process, exploitable only from directly connected network segments. No patch is currently available for affected systems.
Open redirect in Cisco Prime Infrastructure and Evolved Programmable Network Manager allows unauthenticated remote attackers to redirect users to malicious websites through insufficient input validation in the web management interface. An attacker can intercept and modify HTTP requests to craft malicious URLs that deceive users into visiting attacker-controlled pages. No patch is currently available for this vulnerability.
Unauthenticated remote attackers can crash Cisco TelePresence Collaboration Endpoint and RoomOS devices by sending specially crafted text through meeting invitations or similar channels, exploiting insufficient input validation in the text rendering subsystem. The vulnerability requires no user interaction and causes device reloads resulting in denial of service. No patch is currently available.
Stored XSS in Cisco Prime Infrastructure's web management interface allows authenticated administrators to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or sensitive data theft. The vulnerability stems from insufficient input validation on specific data fields and requires valid admin credentials to exploit. No patch is currently available.
Unauthenticated file upload in Cisco Meeting Management's Certificate Management interface allows authenticated attackers to write arbitrary files and execute commands with root privileges on affected systems. An attacker with valid credentials can exploit improper input validation in the web management interface to overwrite system files processed with elevated privileges, leading to complete system compromise. No patch is currently available for this vulnerability.
Cisco Secure Web Appliance's DVS Engine improperly handles certain archive files, allowing unauthenticated remote attackers to bypass the anti-malware scanner and deliver malicious archives to end users. An attacker can exploit this by sending crafted archive files through affected devices to circumvent malware detection. While downloaded malware requires manual extraction and execution by the user, this vulnerability enables distribution of malicious content that would normally be blocked.
Stored XSS vulnerabilities in Cisco Packaged CCE and Unified CCE web management interfaces allow authenticated attackers to inject malicious scripts by exploiting insufficient input validation. Successful exploitation enables arbitrary script execution within the management interface context or theft of sensitive browser-based information from authorized users. No patch is currently available; exploitation requires high-level privileges and user interaction.
Improper file permissions in Cisco Intersight Virtual Appliance's maintenance shell allow authenticated administrators to escalate privileges to root and gain full control of the system. An attacker with local administrative access can manipulate configuration files to bypass intended privilege restrictions, potentially compromising sensitive data and workload configurations. No patch is currently available for this vulnerability.
SSH service disruption in Cisco IEC6400 Wireless Backhaul Edge Compute Software allows unauthenticated remote attackers to trigger denial of service through connection flooding due to missing rate limiting protections. An attacker can render the SSH service unresponsive by launching a DoS attack against the SSH port, though other device operations remain functional during the attack. No patch is currently available.
Stored XSS vulnerabilities in Cisco Packaged CCE and Unified CCE web management interfaces allow authenticated attackers to inject malicious scripts that execute in the context of other users' browsers, potentially enabling session hijacking or sensitive data theft. The vulnerability stems from inadequate input validation on specific interface pages and requires high-privilege account access and user interaction to exploit. No patch is currently available for this medium-severity issue (CVSS 4.8).
Cisco Unified Communications Manager and related products contain a code injection vulnerability (CVE-2026-20045) that allows unauthenticated remote attackers to execute arbitrary code. This KEV-listed vulnerability affects the core enterprise voice/video infrastructure including Unified CM, IM&P, Unity Connection, and Webex Calling Dedicated Instance, making it a high-priority threat for organizations dependent on Cisco collaboration tools.
Stored XSS in Cisco ISE's web management interface allows authenticated administrators to inject malicious scripts that execute in other users' browsers, potentially compromising sensitive information or hijacking administrative sessions. Exploitation requires valid admin credentials and user interaction, making it suitable for insider threats or compromised accounts. No patch is currently available.
Stored XSS in Cisco Prime Infrastructure and EPNM web management interfaces allows authenticated administrators with high privileges to inject malicious scripts that execute in other users' browsers, potentially enabling session hijacking or credential theft. The vulnerability stems from insufficient input validation in specific data fields and requires valid admin credentials to exploit. No patch is currently available.
Cisco ISE and ISE-PIC's web management interface fails to properly sanitize user input, enabling authenticated admins to inject malicious scripts that execute in other users' browsers. Successful exploitation allows attackers with valid administrative credentials to steal session data or perform actions on behalf of legitimate users through reflected XSS attacks. No patch is currently available.
Cisco ISE and ISE-PIC suffer from improper XML parsing in their web management interfaces that enables authenticated administrators to extract arbitrary files from the underlying operating system, potentially exposing sensitive data beyond normal access controls. An attacker must have valid administrative credentials and upload a malicious file to exploit this XML External Entity (XXE) vulnerability. No patch is currently available.
Snort 3 Detection Engine contains a buffer out-of-bounds read vulnerability in DCE/RPC request processing that allows unauthenticated remote attackers to leak sensitive information or trigger service restarts over an established connection. An attacker can exploit this by sending specially crafted DCE/RPC requests to extract data from the inspection stream or interrupt packet analysis operations. No patch is currently available for affected Cisco products.
processing of DCE/RPC requests contains a vulnerability that allows attackers to unexpectedly restart the Snort 3 Detection Engine, which could cause a denial of (CVSS 5.8).
A stack-based buffer overflow vulnerability exists in the libshared.so library of Cisco Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability in the web-based management interface of Cisco Catalyst Center Virtual Appliance could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Catalyst Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the REST API of Cisco Catalyst Center could allow an authenticated, remote attacker to execute arbitrary commands in a restricted container as the root user. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in Cisco Catalyst Center could allow an authenticated, remote attacker to execute operations that should require Administrator privileges. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in Cisco Catalyst Center Virtual Appliance could allow an authenticated, remote attacker to elevate privileges to Administrator on an affected system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the API subsystem of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to obtain sensitive information from an affected system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to upload and execute arbitrary files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to upload and execute arbitrary files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to perform a directory traversal and access arbitrary resources. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the Contact Center Express (CCX) Editor application of Cisco Unified CCX could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the RADIUS setting Reject RADIUS requests from clients with repeated failures on Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause Cisco. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from an affected device. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.
A vulnerability in the web-based management interface of Cisco Cyber Vision Center could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials that allow access to the Reports page. By default, all pre-defined users have this access, as do any custom users that are configured to allow access to the Reports page.
A vulnerability in the web-based management interface of Cisco Cyber Vision Center could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials that allow access to the Sensor Explorer page. By default, Admin and Product user roles have this access, as do any custom users that are configued to allow access to the Sensors page.
A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 43.6%.
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 18.8%.
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available.
A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker with administrative privileges to execute arbitrary commands as root on the underlying operating. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the web UI of Cisco IOS Software could allow an authenticated, remote attacker with low privileges to cause a denial of service (DoS) condition on an affected device. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the access control list (ACL) programming of Cisco IOS XE Software for Cisco Catalyst 9500X and 9600X Series Switches could allow an unauthenticated, remote attacker to bypass a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Network-Based Application Recognition (NBAR) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, causing a. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Multiple vulnerabilities in Cisco IOS XE Software of could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to the device to execute. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the handling of certain Ethernet frames in Cisco IOS XE Software for Catalyst 9000 Series Switches could allow an unauthenticated, adjacent attacker to cause an egress port to. Rated high severity (CVSS 7.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Day One setup process of Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers for Cloud (9800-CL) could allow an unauthenticated, remote attacker to access the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the implementation of the TACACS+ protocol in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to view sensitive data or bypass. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability in the CLI of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker to cause an affected device to reload unexpectedly, resulting in a denial of. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the IPv6 Router Advertisement (RA) packet processing of Cisco Access Point Software could allow an unauthenticated, adjacent attacker to modify the IPv6 gateway on an affected. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Device Analytics action frame processing of Cisco Wireless Access Point (AP) Software could allow an unauthenticated, adjacent attacker to inject wireless 802.11 action frames. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the access control list (ACL) processing of IPv4 packets of Cisco SD-WAN vEdge Software could allow an unauthenticated, remote attacker to bypass a configured ACL. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the HTTP API subsystem of Cisco IOS XE Software could allow a remote attacker to inject commands that will execute with root privileges into the underlying operating system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Address Resolution Protocol (ARP) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a broadcast storm, leading to a denial of. Rated high severity (CVSS 7.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the installation process of Cisco IOS XR Software could allow an authenticated, local attacker to bypass Cisco IOS XR Software image signature verification and load unsigned. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A security issue affecting multiple Cisco devices also directly impacts Stratix® 5410, 5700, and 8000 devices. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to write. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the user profile component of Cisco Webex Meetings could have allowed an authenticated, remote attacker with low privileges to conduct a cross-site scripting (XSS) attack against a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) Software and Cisco Unified CM Session Management Edition (SME) Software could allow an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in Cisco Webex Meetings could have allowed an unauthenticated, remote attacker to redirect a targeted Webex Meetings user to an untrusted website. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to upload arbitrary files to an affected. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to obtain. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the REST API endpoints of Cisco Nexus Dashboard and Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, low-privileged, remote attacker to view sensitive. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the REST API endpoints of Cisco Nexus Dashboard and Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, low-privileged, remote attacker to view sensitive. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the backup restore functionality of Cisco Nexus Dashboard could allow an authenticated, remote attacker to conduct a path traversal attack on an affected device. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the Virtual Keyboard Video Monitor (vKVM) connection handling of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker with low privileges to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the Virtual Keyboard Video Monitor (vKVM) connection handling of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to redirect a user to. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco UCS Manager Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the CLI of Cisco UCS Manager Software could allow an authenticated, local attacker with administrative privileges to read or create a file or overwrite any file on the file system. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.
Multiple vulnerabilities in the CLI and web-based management interface of Cisco UCS Manager Software could allow an authenticated, remote attacker with administrative privileges to perform command. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute a command injection attack on the underlying operating system of an affected device. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the logging feature of Cisco NX-OS Software for Cisco Nexus 3000 Series Switches, Cisco Nexus 9000 Series Switches in standalone NX-OS mode, Cisco UCS 6400 Fabric Interconnects,. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the Protocol Independent Multicast Version 6 (PIM6) feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) feature of Cisco NX-OS Software for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS. Rated high severity (CVSS 7.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Device reload in Cisco APIC's Object Model CLI component allows authenticated local users to trigger a denial of service through insufficient input validation on crafted commands. An attacker with valid credentials and CLI access can exploit this vulnerability to crash the affected device, though no patch is currently available. This vulnerability affects systems where attackers can obtain legitimate user credentials with appropriate role permissions.
Insufficient input validation in Cisco FXOS and UCS Manager web interfaces enables authenticated administrators to inject arbitrary commands and achieve root-level code execution on affected systems. The vulnerability requires local access and valid admin credentials, allowing privileged attackers to bypass normal OS restrictions. No patch is currently available, and the lack of input sanitization on command arguments represents a critical privilege escalation vector for insider threats.
web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software is affected by cross-site scripting (xss) (CVSS 4.8).
Cisco Nexus 3600 and 9500-R switches are vulnerable to Layer 2 traffic loops when processing maliciously crafted EVPN frames, allowing unauthenticated adjacent attackers to trigger a denial of service condition by overwhelming network bandwidth. An attacker can exploit this logic error in Layer 2 ingress packet processing by sending crafted Ethernet frames, causing VxLAN traffic loops that drop all data plane traffic. No patch is currently available for this vulnerability.
Improper SNMP request parsing in Cisco Nexus 9000 Series switches running ACI mode allows authenticated remote attackers to trigger kernel panics and device reloads by sending specially crafted queries to specific MIBs. An attacker with valid SNMP read-only community credentials can exploit this vulnerability across SNMP versions 1, 2c, and 3 to achieve denial of service. No patch is currently available for this vulnerability.
Cisco UCS Manager NX-OS CLI improperly grants excessive privileges to read-only users, allowing authenticated local attackers to modify files and execute privileged actions on affected systems. An attacker with read-only credentials can exploit this privilege escalation to create, overwrite files, or perform limited administrative operations. No patch is currently available.
Cisco UCS Manager's CLI and web management interfaces are vulnerable to OS command injection when authenticated administrators submit specially crafted input due to inadequate argument validation. An attacker with valid admin credentials can exploit this to execute arbitrary commands as root on the affected device. No patch is currently available for this vulnerability.
Cisco Nexus 9000 Series Fabric Switches in ACI mode contains a vulnerability that allows attackers to cause the device to reload unexpectedly, resulting in a DoS condition (CVSS 7.4).
Cisco NX-OS devices can be forced to reload through a crafted LLDP packet sent by an adjacent, unauthenticated attacker, causing a denial of service condition. The vulnerability stems from improper frame field validation in the LLDP process, exploitable only from directly connected network segments. No patch is currently available for affected systems.
Open redirect in Cisco Prime Infrastructure and Evolved Programmable Network Manager allows unauthenticated remote attackers to redirect users to malicious websites through insufficient input validation in the web management interface. An attacker can intercept and modify HTTP requests to craft malicious URLs that deceive users into visiting attacker-controlled pages. No patch is currently available for this vulnerability.
Unauthenticated remote attackers can crash Cisco TelePresence Collaboration Endpoint and RoomOS devices by sending specially crafted text through meeting invitations or similar channels, exploiting insufficient input validation in the text rendering subsystem. The vulnerability requires no user interaction and causes device reloads resulting in denial of service. No patch is currently available.
Stored XSS in Cisco Prime Infrastructure's web management interface allows authenticated administrators to inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking or sensitive data theft. The vulnerability stems from insufficient input validation on specific data fields and requires valid admin credentials to exploit. No patch is currently available.
Unauthenticated file upload in Cisco Meeting Management's Certificate Management interface allows authenticated attackers to write arbitrary files and execute commands with root privileges on affected systems. An attacker with valid credentials can exploit improper input validation in the web management interface to overwrite system files processed with elevated privileges, leading to complete system compromise. No patch is currently available for this vulnerability.
Cisco Secure Web Appliance's DVS Engine improperly handles certain archive files, allowing unauthenticated remote attackers to bypass the anti-malware scanner and deliver malicious archives to end users. An attacker can exploit this by sending crafted archive files through affected devices to circumvent malware detection. While downloaded malware requires manual extraction and execution by the user, this vulnerability enables distribution of malicious content that would normally be blocked.
Stored XSS vulnerabilities in Cisco Packaged CCE and Unified CCE web management interfaces allow authenticated attackers to inject malicious scripts by exploiting insufficient input validation. Successful exploitation enables arbitrary script execution within the management interface context or theft of sensitive browser-based information from authorized users. No patch is currently available; exploitation requires high-level privileges and user interaction.
Improper file permissions in Cisco Intersight Virtual Appliance's maintenance shell allow authenticated administrators to escalate privileges to root and gain full control of the system. An attacker with local administrative access can manipulate configuration files to bypass intended privilege restrictions, potentially compromising sensitive data and workload configurations. No patch is currently available for this vulnerability.
SSH service disruption in Cisco IEC6400 Wireless Backhaul Edge Compute Software allows unauthenticated remote attackers to trigger denial of service through connection flooding due to missing rate limiting protections. An attacker can render the SSH service unresponsive by launching a DoS attack against the SSH port, though other device operations remain functional during the attack. No patch is currently available.
Stored XSS vulnerabilities in Cisco Packaged CCE and Unified CCE web management interfaces allow authenticated attackers to inject malicious scripts that execute in the context of other users' browsers, potentially enabling session hijacking or sensitive data theft. The vulnerability stems from inadequate input validation on specific interface pages and requires high-privilege account access and user interaction to exploit. No patch is currently available for this medium-severity issue (CVSS 4.8).
Cisco Unified Communications Manager and related products contain a code injection vulnerability (CVE-2026-20045) that allows unauthenticated remote attackers to execute arbitrary code. This KEV-listed vulnerability affects the core enterprise voice/video infrastructure including Unified CM, IM&P, Unity Connection, and Webex Calling Dedicated Instance, making it a high-priority threat for organizations dependent on Cisco collaboration tools.
Stored XSS in Cisco ISE's web management interface allows authenticated administrators to inject malicious scripts that execute in other users' browsers, potentially compromising sensitive information or hijacking administrative sessions. Exploitation requires valid admin credentials and user interaction, making it suitable for insider threats or compromised accounts. No patch is currently available.
Stored XSS in Cisco Prime Infrastructure and EPNM web management interfaces allows authenticated administrators with high privileges to inject malicious scripts that execute in other users' browsers, potentially enabling session hijacking or credential theft. The vulnerability stems from insufficient input validation in specific data fields and requires valid admin credentials to exploit. No patch is currently available.
Cisco ISE and ISE-PIC's web management interface fails to properly sanitize user input, enabling authenticated admins to inject malicious scripts that execute in other users' browsers. Successful exploitation allows attackers with valid administrative credentials to steal session data or perform actions on behalf of legitimate users through reflected XSS attacks. No patch is currently available.
Cisco ISE and ISE-PIC suffer from improper XML parsing in their web management interfaces that enables authenticated administrators to extract arbitrary files from the underlying operating system, potentially exposing sensitive data beyond normal access controls. An attacker must have valid administrative credentials and upload a malicious file to exploit this XML External Entity (XXE) vulnerability. No patch is currently available.
Snort 3 Detection Engine contains a buffer out-of-bounds read vulnerability in DCE/RPC request processing that allows unauthenticated remote attackers to leak sensitive information or trigger service restarts over an established connection. An attacker can exploit this by sending specially crafted DCE/RPC requests to extract data from the inspection stream or interrupt packet analysis operations. No patch is currently available for affected Cisco products.
processing of DCE/RPC requests contains a vulnerability that allows attackers to unexpectedly restart the Snort 3 Detection Engine, which could cause a denial of (CVSS 5.8).
A stack-based buffer overflow vulnerability exists in the libshared.so library of Cisco Linksys E1200 v2 routers (Firmware E1200_v2.0.11.001_us.tar.gz). Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability in the web-based management interface of Cisco Catalyst Center Virtual Appliance could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Catalyst Center could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the REST API of Cisco Catalyst Center could allow an authenticated, remote attacker to execute arbitrary commands in a restricted container as the root user. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in Cisco Catalyst Center could allow an authenticated, remote attacker to execute operations that should require Administrator privileges. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in Cisco Catalyst Center Virtual Appliance could allow an authenticated, remote attacker to elevate privileges to Administrator on an affected system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the API subsystem of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to obtain sensitive information from an affected system. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to upload and execute arbitrary files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to upload and execute arbitrary files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web UI of Cisco Unified CCX could allow an authenticated, remote attacker to perform a directory traversal and access arbitrary resources. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the Contact Center Express (CCX) Editor application of Cisco Unified CCX could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the RADIUS setting Reject RADIUS requests from clients with repeated failures on Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause Cisco. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from an affected device. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Multiple vulnerabilities in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a reflected XSS attack against a user of the. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.
A vulnerability in the web-based management interface of Cisco Cyber Vision Center could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials that allow access to the Reports page. By default, all pre-defined users have this access, as do any custom users that are configured to allow access to the Reports page.
A vulnerability in the web-based management interface of Cisco Cyber Vision Center could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials that allow access to the Sensor Explorer page. By default, Admin and Product user roles have this access, as do any custom users that are configued to allow access to the Sensors page.
A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Update: On November 5, 2025, Cisco became aware of a new attack variant against devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases that are affected by CVE-2025-20333 and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 43.6%.
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and EPSS exploitation probability 18.8%.
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow the following: An authenticated, remote attacker with low. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available.
A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker with administrative privileges to execute arbitrary commands as root on the underlying operating. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the web UI of Cisco IOS Software could allow an authenticated, remote attacker with low privileges to cause a denial of service (DoS) condition on an affected device. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the access control list (ACL) programming of Cisco IOS XE Software for Cisco Catalyst 9500X and 9600X Series Switches could allow an unauthenticated, remote attacker to bypass a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Network-Based Application Recognition (NBAR) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, causing a. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Multiple vulnerabilities in Cisco IOS XE Software of could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to the device to execute. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the handling of certain Ethernet frames in Cisco IOS XE Software for Catalyst 9000 Series Switches could allow an unauthenticated, adjacent attacker to cause an egress port to. Rated high severity (CVSS 7.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Day One setup process of Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers for Cloud (9800-CL) could allow an unauthenticated, remote attacker to access the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Web Authentication feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting attack (XSS) on an affected. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the implementation of the TACACS+ protocol in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to view sensitive data or bypass. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A vulnerability in the CLI of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, local attacker to cause an affected device to reload unexpectedly, resulting in a denial of. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the IPv6 Router Advertisement (RA) packet processing of Cisco Access Point Software could allow an unauthenticated, adjacent attacker to modify the IPv6 gateway on an affected. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Device Analytics action frame processing of Cisco Wireless Access Point (AP) Software could allow an unauthenticated, adjacent attacker to inject wireless 802.11 action frames. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the access control list (ACL) processing of IPv4 packets of Cisco SD-WAN vEdge Software could allow an unauthenticated, remote attacker to bypass a configured ACL. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the HTTP API subsystem of Cisco IOS XE Software could allow a remote attacker to inject commands that will execute with root privileges into the underlying operating system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Address Resolution Protocol (ARP) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a broadcast storm, leading to a denial of. Rated high severity (CVSS 7.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the installation process of Cisco IOS XR Software could allow an authenticated, local attacker to bypass Cisco IOS XR Software image signature verification and load unsigned. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the management interface access control list (ACL) processing feature in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass configured ACLs for the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A security issue affecting multiple Cisco devices also directly impacts Stratix® 5410, 5700, and 8000 devices. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to access. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the directory permissions of Cisco Desk Phone 9800 Series, Cisco IP Phone 7800 and 8800 Series, and Cisco Video Phone 8875 could allow an unauthenticated, remote attacker to write. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P) could allow an unauthenticated, remote attacker to. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the user profile component of Cisco Webex Meetings could have allowed an authenticated, remote attacker with low privileges to conduct a cross-site scripting (XSS) attack against a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) Software and Cisco Unified CM Session Management Edition (SME) Software could allow an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in Cisco Webex Meetings could have allowed an unauthenticated, remote attacker to redirect a targeted Webex Meetings user to an untrusted website. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to upload arbitrary files to an affected. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to obtain. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the REST API endpoints of Cisco Nexus Dashboard and Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, low-privileged, remote attacker to view sensitive. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the REST API endpoints of Cisco Nexus Dashboard and Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, low-privileged, remote attacker to view sensitive. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the backup restore functionality of Cisco Nexus Dashboard could allow an authenticated, remote attacker to conduct a path traversal attack on an affected device. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the Virtual Keyboard Video Monitor (vKVM) connection handling of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker with low privileges to. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the Virtual Keyboard Video Monitor (vKVM) connection handling of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to redirect a user to. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco UCS Manager Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the CLI of Cisco UCS Manager Software could allow an authenticated, local attacker with administrative privileges to read or create a file or overwrite any file on the file system. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.
Multiple vulnerabilities in the CLI and web-based management interface of Cisco UCS Manager Software could allow an authenticated, remote attacker with administrative privileges to perform command. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute a command injection attack on the underlying operating system of an affected device. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the logging feature of Cisco NX-OS Software for Cisco Nexus 3000 Series Switches, Cisco Nexus 9000 Series Switches in standalone NX-OS mode, Cisco UCS 6400 Fabric Interconnects,. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the Protocol Independent Multicast Version 6 (PIM6) feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) feature of Cisco NX-OS Software for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS. Rated high severity (CVSS 7.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.