Command Injection Vulnerability in Cisco Unified Communications Products
CVE-2025-20278

6MEDIUM

Key Information:

Vendor

Cisco
Status
Cisco Finesse
Cisco Socialminer
Cisco Unified Communications Manager
Cisco Unified Communications Manager Im And Presence Service
Vendor
CVE Published:
4 June 2025

Badges

👾 Exploit Exists

What is CVE-2025-20278?

A command injection vulnerability exists in the Command Line Interface (CLI) of various Cisco Unified Communications products, allowing an authenticated local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. This issue arises from inadequate validation of user-supplied command arguments. Attackers with valid administrative credentials can exploit this vulnerability by issuing specially crafted commands that bypass security restrictions, thereby compromising system integrity and potentially leading to unauthorized access to sensitive data.

Affected Version(s)

Cisco Finesse 11.0(1)ES_Rollback

Cisco Finesse 10.5(1)ES4

Cisco Finesse 11.6(1)ES3

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.