CVE-2025-20349

Medium

Published: 13 November 2025

Published

13 November 2025

Modified

19 November 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0021 43.4th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20349 is a medium-severity OS Command Injection (CWE-78) vulnerability in Cisco Catalyst Center. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of user-supplied input in REST API request parameters to prevent OS command injection exploits.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of flaws like this command injection vulnerability through timely patching.

AC-6 Least Privilege partial match

prevent

Enforces least privilege for Observer role users, limiting the access and potential impact of injected commands executed as root in the restricted container.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Vulnerability enables exploitation of public-facing REST API (T1190) for authenticated OS command injection (T1059.004) in a root container.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability in the REST API of Cisco Catalyst Center could allow an authenticated, remote attacker to execute arbitrary commands in a restricted container as the root user. This vulnerability is due to insufficient validation of user-supplied input in REST…

API request parameters. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to inject arbitrary commands that would then be executed in a restricted container with root privileges. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Observer.

Deeper analysisAI

CVE-2025-20349 is a vulnerability in the REST API of Cisco Catalyst Center that stems from insufficient validation of user-supplied input in REST API request parameters. This flaw, classified under CWE-78 (OS Command Injection), enables an authenticated, remote attacker to execute arbitrary commands within a restricted container running as the root user. The vulnerability affects Cisco Catalyst Center deployments and was published on 2025-11-13 with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

An attacker can exploit this vulnerability by sending a crafted API request to an affected device, provided they possess valid credentials for a user account with at least the Observer role. Successful exploitation allows the injection and execution of arbitrary commands in the restricted container with root privileges, potentially leading to limited confidentiality, integrity, and availability impacts as per the CVSS vector.

For mitigation details, including available patches and workarounds, refer to the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-dnac-ci-ZWLQVSwT.