Network Configuration Access Control Flaw in Cisco IOS XE Software
CVE-2025-20214

4.3MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco iOS Xe Software
Vendor: CVE Published:; 7 May 2025

Badges

👾 Exploit Exists

What is CVE-2025-20214?

A security flaw in the Network Configuration Access Control Module (NACM) of Cisco IOS XE Software enables an authenticated remote attacker to gain unauthorized read access to sensitive configuration or operational data. This issue arises from a change in the inner API call behavior, leading to incorrect filtering of results. Attackers can exploit this vulnerability via NETCONF, RESTCONF, or gRPC Network Management Interface (gNMI) protocols to query data on paths that should be blocked by the NACM configuration. Successful exploitation allows access to restricted data, especially if the attacker has obtained valid user credentials with lower privileges.

Affected Version(s)

Cisco IOS XE Software 17.11.1

Cisco IOS XE Software 17.11.1a

Cisco IOS XE Software 17.12.1

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
May 7, 2025
Vulnerability published
May 7, 2025
Vulnerability Reserved
Oct 10, 2024