CVE-2025-20342
A vulnerability in the Virtual Keyboard Video Monitor (vKVM) connection handling of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker with low privileges to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid user credentials with privileges that allow for vKVM access on the affected device. Note: The affected vKVM client is also included in Cisco UCS Manager.
EPSS 0.04% · 14.0th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cisco | Cisco Unified Computing System (Managed) | *, *, * |
| Cisco | Cisco Unified Computing System (Standalone) | 4.1(1h), 3.1(3k), 4.1(2b) |
| Cisco | Cisco Unified Computing System E-Series Software (UCSE) | 2.3.5, 2.2.1, 2.4.0 |
Exploit Intelligence
- cisco-sa-ucs-kvmsxss-6h7AnUyk (circl)
Timeline
- Oct 10, 2024 CVE ID Reserved
- Aug 27, 2025 Coalition ESS Score
- Aug 27, 2025 CVE Published
- Aug 27, 2025 CVE Updated
- Aug 28, 2025 EPSS Score
- Sep 1, 2025 Coalition ESS Score
- Sep 5, 2025 EPSS Score
- Sep 13, 2025 EPSS Score
- Sep 20, 2025 EPSS Score
- Sep 28, 2025 EPSS Score
- Oct 3, 2025 Coalition ESS Score
- Oct 6, 2025 EPSS Score