CVE-2025-20278: Cisco Unified Communications Products Command Injection Vulnerability

6.0 CVSS

Description

A vulnerability in the CLI of multiple Cisco Unified Communications products could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device as the root user.

This vulnerability is due to improper validation of user-supplied command arguments. An attacker could exploit this vulnerability by executing crafted commands on the CLI of an affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device as the root user. To exploit this vulnerability, the attacker must have valid administrative credentials.

Classification

CVE ID: CVE-2025-20278

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.0

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Problem Types

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Affected Products

Vendor: Cisco

Product: Cisco Finesse, Cisco SocialMiner, Cisco Unified Communications Manager, Cisco Unified Communications Manager IM and Presence Service, Cisco Unified Contact Center Express, Cisco Unified Intelligence Center, Cisco Unity Connection, Cisco Virtualized Voice Browser

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.01% (probability of being exploited)

EPSS Percentile: 1.4% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-20278
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vos-command-inject-65s2UCYy

Timeline

2025-06-04 16:00:42 UTC
Cisco Security Advisory

Cisco Unified Communications Products Command Injection Vulnerability
2025-06-04 17:40:15 UTC
CVE

Cisco Unified Communications Products Command Injection Vulnerability