CVE-2025-20161

MEDIUM EPSS 37.0%

Published Feb 26, 20251y ago · Modified Jun 17, 20261w ago

5.1 CVSS 3.1

Medium

Published Feb 26, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

A vulnerability in the software upgrade process of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an authenticated, local attacker with valid Administrator credentials to execute a command injection attack on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of specific elements within a software image. An attacker could exploit this vulnerability by installing a crafted image. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges.  Note: Administrators should validate the hash of any software image before installation.

CVSS Details

Base Score

5.1

Exploitability

0.8

Impact

4.2

Vector string

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

Attack Vector Local

Attack Complexity Low

Privileges Required High

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity High

Availability None

Threat Intelligence

EPSS Exploit Probability

37.0% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

References 1

sec.cloudapps.cisco.com https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ici-dpOjbWxk

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.