Cyber Resilience

CVE-2026-20155

High

Published: 01 April 2026

Published
01 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20155 is a high-severity Missing Authorization (CWE-862) vulnerability in Cisco Evolved Programmable (inferred from references). Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-20155 is a vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) that stems from improper authorization checks on a REST API endpoint, classified under CWE-862 (Missing Authorization). This flaw enables an authenticated, remote attacker with low privileges to access sensitive information they are not authorized to view. The vulnerability received a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and was published on April 1, 2026.

An attacker with low-privilege access to the EPNM web interface can exploit this vulnerability by sending a query to the affected REST API endpoint. Successful exploitation allows the attacker to view session information for active Cisco EPNM users, including those with administrative privileges. This exposure could lead to full compromise of the affected device.

The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-epnm-improp-auth-mUwFWUU3 provides details on mitigation, including available patches and workarounds for affected EPNM versions.

EU & UK References

Vulnerability details

A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker with low privileges to access sensitive information that they are not authorized to access. This vulnerability is due to improper…

more

authorization checks on a REST API endpoint of an affected device. An attacker could exploit this vulnerability by querying the affected endpoint. A successful exploit could allow the attacker to view session information of active Cisco EPNM users, including users with administrative privileges, which could result in the affected device being compromised.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
Why these techniques?

Missing authorization on REST API enables low-priv authenticated attacker to access admin session data, directly facilitating privilege escalation via stolen web session material.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-8547Shared CWE-862
CVE-2026-22172Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2026-0026Shared CWE-862
CVE-2025-48578Shared CWE-862
CVE-2025-48634Shared CWE-862
CVE-2026-28193Shared CWE-862
CVE-2026-0845Shared CWE-862
CVE-2025-49723Shared CWE-862
CVE-2024-12171Shared CWE-862

Affected Assets

Cisco
Evolved Programmable
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for logical access to information and system resources, directly addressing the improper authorization checks on the REST API endpoint.

prevent

AC-24 requires explicit authorization decisions for access to system resources by defined personnel or roles, mitigating unauthorized access to sensitive user session information.

prevent

AC-6 enforces least privilege, limiting low-privilege attackers' ability to access or exploit administrative session data even if checks fail.

References