Detections
Analytics

Cisco Evolved Programmable Network Manager SQLi (cisco-sa-piepnm-bsi-25JJqsbb)

medium Nessus Plugin ID 242328

Language:

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

The version of Cisco Evolved Programmable Network Manager installed on the remote host is affected by a vulnerability.
A vulnerability in a subset of REST APIs of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, low-privileged, remote attacker to conduct a blind SQL injection attack. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to an affected API. A successful exploit could allow the attacker to view data in some database tables on an affected device.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to 3.10.6 Security Update 02 or later

See Also

http://www.nessus.org/u?02367a4f

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwo76427

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwo97314

Plugin Details

Severity: Medium

ID: 242328

File Name: cisco-sa-piepnm-bsi-25JJqsbb_epnm.nasl

Version: 1.1

Type: remote

Family: CISCO

Published: 7/18/2025

Updated: 7/18/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Medium

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2025-20272

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

CPE: cpe:/a:cisco:evolved_programmable_network_manager

Required KB Items: installed_sw/Cisco EPN Manager

Patch Publication Date: 7/16/2025

Vulnerability Publication Date: 7/16/2025

Reference Information

CVE: CVE-2025-20272

CISCO-SA: cisco-sa-piepnm-bsi-25JJqsbb

IAVA: 2025-A-0532

CISCO-BUG-ID: CSCwo76427, CSCwo97314