CVE-2025-20116

Q: What is the severity of CVE-2025-20116?

CVE-2025-20116 has a CVSS score of 4.8 (MEDIUM). This stored XSS vulnerability in Cisco APIC's web UI allows authenticated administrators to inject malicious scripts that execute when other users view affected pages. Only systems running vulnerable Cisco APIC versions with administrative web UI access are affected.

4.8 MEDIUM

Cross-Site Scripting

📋 TL;DR

This stored XSS vulnerability in Cisco APIC's web UI allows authenticated administrators to inject malicious scripts that execute when other users view affected pages. Only systems running vulnerable Cisco APIC versions with administrative web UI access are affected.

💻 Affected Systems

Products:

Cisco Application Policy Infrastructure Controller (APIC)

Versions: Specific versions not detailed in advisory; check Cisco advisory for exact affected versions

Operating Systems: Cisco APIC OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative credentials to exploit; affects web UI component only

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator credentials could be stolen, leading to full APIC compromise and potential network-wide control by attackers.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized administrative actions performed through the compromised administrator's session.

🟢

If Mitigated

Limited to administrative interface only, with no impact on data plane or network traffic if proper segmentation exists.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated administrative access; stored XSS means payload persists until cleaned

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Cisco advisory for specific fixed versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apic-multi-vulns-9ummtg5

Restart Required: Yes

Instructions:

1. Review Cisco advisory for affected versions. 2. Download and apply appropriate APIC software update. 3. Restart APIC services as required. 4. Verify web UI functionality post-update.

🔧 Temporary Workarounds

Restrict Administrative Access

all

Limit web UI access to trusted administrative workstations only using network controls

Content Security Policy

all

Implement CSP headers to restrict script execution in web UI

🧯 If You Can't Patch

Implement strict network segmentation to isolate APIC management interfaces
Enforce multi-factor authentication for all administrative accounts

🔍 How to Verify

Check if Vulnerable:

Check APIC software version against Cisco advisory; review web UI for unexpected script content

Check Version:

show version

Verify Fix Applied:

Verify APIC version is updated to patched release; test web UI functionality

📡 Detection & Monitoring

Log Indicators:

Unusual administrative web UI activity
Multiple failed login attempts followed by successful login
Unexpected script tags or JavaScript in web UI pages

Network Indicators:

Unusual traffic patterns to APIC web UI
Requests containing suspicious script payloads

SIEM Query:

source="apic" AND (event_type="web_ui_access" AND user="admin" AND (url_contains="script" OR payload_contains="javascript"))

📊 Metadata

CVE ID: CVE-2025-20116

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (17.5th percentile)

Published: February 26, 2025

Last Updated: July 31, 2025

🔗 References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apic-multi-vulns-9ummtg5 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco

Application Policy Infrastructure Controller by Cisco