Cisco Unified Computing System up to 4.3(4b) SSH communication channel to intended endpoints

Summaryinfo

A vulnerability was found in Cisco Unified Computing System. It has been classified as very critical. This issue affects some unknown processing of the component SSH. The manipulation leads to communication channel to intended endpoints. This vulnerability is listed as CVE-2025-20261. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in Cisco Unified Computing System. It has been rated as very critical. This issue affects an unknown code block of the component SSH. The manipulation with an unknown input leads to a communication channel to intended endpoints vulnerability. Using CWE to declare the problem leads to CWE-923. The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

A vulnerability in the SSH connection handling of Cisco Integrated Management Controller (IMC) for Cisco UCS B-Series, UCS C-Series, UCS S-Series, and UCS X-Series Servers could allow an authenticated, remote attacker to access internal services with elevated privileges. This vulnerability is due to insufficient restrictions on access to internal services. An attacker with a valid user account could exploit this vulnerability by using crafted syntax when connecting to the Cisco IMC of an affected device through SSH. A successful exploit could allow the attacker to access internal services with elevated privileges, which may allow unauthorized modifications to the system, including the possibility of creating new administrator accounts on the affected device.

It is possible to read the advisory at sec.cloudapps.cisco.com. The identification of this vulnerability is CVE-2025-20261 since 10/10/2024. The exploitation is known to be easy. The attack may be initiated remotely. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 06/08/2025).

The vulnerability scanner Nessus provides a plugin with the ID 237909 (Cisco Integrated Management Controller Privilege Escalation (cisco-sa-ucs-ssh-priv-esc-2mZDtdjM)), which helps to determine the existence of the flaw in a target environment.

Upgrading eliminates this vulnerability.

The vulnerability is also documented in the databases at Tenable (237909) and EUVD (EUVD-2025-16890). Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Type

• Virtualization Software

Vendor

• Cisco

Name

• Unified Computing System

Version

• 3.2(1d)
• 3.2(2b)
• 3.2(2c)
• 3.2(2d)
• 3.2(2e)
• 3.2(2f)
• 3.2(3a)
• 3.2(3b)
• 3.2(3d)
• 3.2(3e)
• 3.2(3g)
• 3.2(3h)
• 3.2(3i)
• 3.2(3j)
• 3.2(3k)
• 3.2(3l)
• 3.2(3n)
• 3.2(3o)
• 3.2(3p)
• 4.0(1a)
• 4.0(1b)
• 4.0(1c)
• 4.0(1d)
• 4.0(2a)
• 4.0(2b)
• 4.0(2d)
• 4.0(2e)
• 4.0(4a)
• 4.0(4b)
• 4.0(4c)
• 4.0(4d)
• 4.0(4e)
• 4.0(4f)
• 4.0(4g)
• 4.0(4h)
• 4.0(4i)
• 4.0(4k)
• 4.0(4l)
• 4.0(4m)
• 4.0(4n)
• 4.0(4o)
• 4.1(1a)
• 4.1(1b)
• 4.1(1c)
• 4.1(1d)
• 4.1(1e)
• 4.1(2a)
• 4.1(2b)
• 4.1(2c)
• 4.1(3a)
• 4.1(3b)
• 4.1(3c)
• 4.1(3d)
• 4.1(3e)
• 4.1(3f)
• 4.1(3h)
• 4.1(3i)
• 4.1(3j)
• 4.1(3k)
• 4.1(3l)
• 4.1(3m)
• 4.1(3n)
• 4.1(4a)
• 4.2(1c)
• 4.2(1d)
• 4.2(1f)
• 4.2(1i)
• 4.2(1k)
• 4.2(1l)
• 4.2(1m)
• 4.2(1n)
• 4.2(2a)
• 4.2(2c)
• 4.2(2d)
• 4.2(2e)
• 4.2(3b)
• 4.2(3d)
• 4.2(3e)
• 4.2(3g)
• 4.2(3h)
• 4.2(3i)
• 4.2(3j)
• 4.3(2b)
• 4.3(2c)
• 4.3(2e)
• 4.3(2f)
• 4.3(3a)
• 4.3(3c)
• 4.3(4a)
• 4.3(4b)

License

• commercial

Website

• Vendor: https://www.cisco.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion