CVE-2025-20341

High

Published: 13 November 2025

Published

13 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0026 49.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability in Cisco Catalyst Center Virtual Appliance could allow an authenticated, remote attacker to elevate privileges to Administrator on an affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by…

submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to perform unauthorized modifications to the system, including creating new user accounts or elevating their own privileges on an affected system. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Observer.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the root cause by requiring validation of user-supplied input in crafted HTTP requests to prevent malicious processing.

AC-3 Access Enforcement good match

prevent

Enforces approved access control policies to block unauthorized privilege escalations and system modifications despite Observer credentials.

AC-6 Least Privilege partial match

prevent

Applies least privilege to Observer role accounts, limiting the scope of potential damage from exploitation even if input validation fails.

Security SummaryAI

CVE-2025-20341 is a privilege escalation vulnerability in the Cisco Catalyst Center Virtual Appliance, stemming from insufficient validation of user-supplied input. Published on 2025-11-13, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-284 (Improper Access Control). An authenticated, remote attacker could exploit this flaw to gain Administrator privileges on the affected system.

To exploit the vulnerability, an attacker requires valid credentials for a user account with at least the Observer role. By submitting a crafted HTTP request to the affected system, the attacker can perform unauthorized modifications, including creating new user accounts or elevating their own privileges to Administrator level.

The Cisco Security Advisory provides details on this vulnerability, including affected versions and mitigation recommendations, available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catc-priv-esc-VS8EeCuX.

Details

CWE(s): CWE-284

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1136 Create Account Persistence

Adversaries may create an account to maintain access to victim systems.

attack.mitre.org →

Why these techniques?

The vulnerability enables privilege escalation from Observer to Administrator via crafted HTTP requests (T1068) and facilitates unauthorized account creation (T1136).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catc-priv-esc-VS8EeCuX
psirt@cisco.com