Command Injection Vulnerability in Cisco Duo Self-Service Portal
CVE-2025-20258

5.4MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Duo
Vendor: CVE Published:; 21 May 2025

Badges

👾 Exploit Exists

What is CVE-2025-20258?

A command injection vulnerability exists in the self-service portal of Cisco Duo, allowing unauthenticated remote attackers to inject arbitrary commands into emails sent by the service. This vulnerability arises from inadequate input validation, enabling attackers to create and send emails containing malicious content to unsuspecting users. Such exploitation could lead to security breaches, potentially compromising user data and trust. Organizations using Cisco Duo should ensure they address this vulnerability promptly to protect their users from potential threats.

Affected Version(s)

Cisco Duo

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
May 21, 2025
Vulnerability published
May 21, 2025
Vulnerability Reserved
Oct 10, 2024