Login Sign Up

CVE-2025-20326

4.3 MEDIUM
CSRF

📋 TL;DR

This CSRF vulnerability in Cisco Unified Communications Manager allows unauthenticated remote attackers to trick authenticated users into performing unauthorized actions via malicious links. Affected systems include Cisco Unified CM and Session Management Edition software with vulnerable web interfaces.

💻 Affected Systems

Products:
  • Cisco Unified Communications Manager
  • Cisco Unified CM Session Management Edition
Versions: Specific versions not provided in CVE description; check Cisco advisory for details
Operating Systems: Cisco Unified CM OS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires web-based management interface access; systems with interface disabled or properly firewalled are less vulnerable

📦 What is this software?

Unified Communications Manager by Cisco

View all CVEs affecting Unified Communications Manager →

Unified Communications Manager by Cisco

View all CVEs affecting Unified Communications Manager →

Unified Communications Manager by Cisco

View all CVEs affecting Unified Communications Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full administrative control over Unified CM system, enabling configuration changes, service disruption, or data exfiltration.

🟠

Likely Case

Attacker modifies user settings, call routing configurations, or service parameters leading to service degradation.

🟢

If Mitigated

Limited impact due to proper CSRF protections, network segmentation, and user awareness training.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires social engineering to trick authenticated user; no authentication bypass needed

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Cisco advisory for specific fixed versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-csrf-w762pRYd

Restart Required: No

Instructions:

1. Review Cisco advisory for affected versions 2. Download and apply appropriate patch 3. Verify patch installation 4. Test management interface functionality

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF protection tokens to web interface forms

Configuration specific to Cisco Unified CM; consult documentation

Restrict Management Interface Access

all

Limit web interface access to trusted networks only

Configure firewall rules to restrict access to management IP/ports

🧯 If You Can't Patch

  • Implement network segmentation to isolate management interfaces
  • Enforce strict user session management and timeouts

🔍 How to Verify

Check if Vulnerable:

Check Cisco Unified CM version against advisory; test web interface for CSRF protections

Check Version:

show version active

Verify Fix Applied:

Verify patch version installed; test CSRF protection mechanisms

📡 Detection & Monitoring

Log Indicators:

  • Unexpected configuration changes
  • Multiple failed authentication attempts followed by successful changes

Network Indicators:

  • Unusual HTTP POST requests to management interface from unexpected sources

SIEM Query:

source="unified-cm" AND (action="config_change" OR http_method="POST") AND user_agent CONTAINS suspicious

📊 Metadata

CVE ID: CVE-2025-20326
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-352
EPSS Score: 0.02% exploit probability (5.1th percentile)
Published: September 3, 2025
Last Updated: September 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-20326, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)