CVE-2026-20075
📋 TL;DR
This stored XSS vulnerability in Cisco EPNM and Prime Infrastructure allows authenticated administrators to inject malicious scripts into the web interface. When other users view the compromised interface, the scripts execute in their browser context, potentially stealing session cookies or performing unauthorized actions. Only systems with these specific Cisco network management products are affected.
💻 Affected Systems
- Cisco Evolved Programmable Network Manager (EPNM)
- Cisco Prime Infrastructure
📦 What is this software?
Evolved Programmable Network Manager by Cisco
View all CVEs affecting Evolved Programmable Network Manager →
Evolved Programmable Network Manager by Cisco
View all CVEs affecting Evolved Programmable Network Manager →
Evolved Programmable Network Manager by Cisco
View all CVEs affecting Evolved Programmable Network Manager →
⚠️ Risk & Real-World Impact
Worst Case
An attacker with administrative credentials could inject persistent malicious scripts that steal session cookies from all users, leading to complete account takeover and potential network compromise.
Likely Case
Attackers with valid admin credentials could steal session cookies or perform limited unauthorized actions through the web interface.
If Mitigated
With proper input validation and output encoding, the vulnerability is prevented entirely.
🎯 Exploit Status
Exploitation requires valid administrative credentials. Attack is stored/persistent XSS.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Cisco advisory for specific fixed versions
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-epnm-pi-stored-xss-GEkX8yWK
Restart Required: Yes
Instructions:
1. Review Cisco advisory for affected versions. 2. Download and apply the appropriate patch from Cisco. 3. Restart the affected services or appliance. 4. Verify the fix by testing the previously vulnerable input fields.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation and output encoding for user-supplied data in web interface
Restrict Administrative Access
allLimit administrative access to trusted IP addresses and users only
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution
- Monitor and audit administrative user activities and input fields for suspicious content
🔍 How to Verify
Check if Vulnerable:
Check if your Cisco EPNM or Prime Infrastructure version matches affected versions listed in Cisco advisoryCheck Version:
Check web interface admin panel or use CLI command specific to each productVerify Fix Applied:
After patching, test the previously vulnerable input fields with safe test payloads to ensure proper sanitization📡 Detection & Monitoring
Log Indicators:
- Unusual administrative login patterns
- Suspicious input in web interface fields containing script tags or JavaScript
Network Indicators:
- Unexpected outbound connections from management interface
- Suspicious HTTP requests containing script payloads
SIEM Query:
Search for web logs containing script tags, javascript:, or eval() in POST parameters to management interface URLs