CVE-2025-20347
BaseFortify
Publication date: 2025-08-27
Last updated on: 2025-09-08
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | nexus_dashboard | to 4.1\(1g\) (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the REST API endpoints of Cisco Nexus Dashboard and Cisco Nexus Dashboard Fabric Controller (NDFC) due to missing authorization controls. It allows an authenticated, low-privileged remote attacker to send specially crafted API requests to certain endpoints. Successful exploitation lets the attacker perform limited administrative functions such as viewing sensitive information related to HTTP Proxy and NTP configurations, uploading images, and damaging image files on the affected device. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing a low-privileged authenticated attacker to access sensitive configuration information and modify or damage image files on your affected Cisco Nexus Dashboard or NDFC device. This could lead to unauthorized disclosure of sensitive data and potential disruption or damage to device functionality through image uploads or modifications. [1]
What immediate steps should I take to mitigate this vulnerability?
Users should upgrade to the fixed software releases to mitigate this vulnerability, as no workarounds exist. Specifically, upgrade Cisco Nexus Dashboard to version 4.1(1g) or later, and for Cisco Nexus Dashboard Fabric Controller (NDFC), migrate to a fixed Cisco Nexus Dashboard unified release starting from 3.1(1k). [1]