Medium severity5.4NVD Advisory· Published Aug 27, 2025· Updated Apr 15, 2026

CVE-2025-20296

Description

A vulnerability in the web-based management interface of Cisco UCS Manager Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface.

This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious data into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must be a member of the Administrator or AAA Administrator role.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cisco UCS Manager Software contains a stored XSS vulnerability due to insufficient input validation, requiring Administrator or AAA Administrator role for exploitation.

Vulnerability

Analysis

Cisco UCS Manager Software's web-based management interface is susceptible to a stored cross-site scripting (XSS) vulnerability. The root cause is insufficient validation of user-supplied input, allowing malicious data to be stored and later executed in the context of the interface [1].

Exploitation

Prerequisites

An attacker must be authenticated with Administrator or AAA Administrator role privileges. The attacker injects malicious script code into specific pages of the interface. No user interaction is required beyond the victim accessing the affected page [1].

Impact

Successful exploitation enables arbitrary script execution in the context of the victim's browser session. This could lead to access of sensitive browser-based information, such as session tokens or cookies, potentially compromising the affected system [1].

Mitigation

Cisco has released software updates to address this vulnerability. Users should upgrade to Cisco UCS Software releases 4.2(3p) or 4.3(6a) as appropriate. Releases 6.0 and later are unaffected. No workarounds are available [1].

References

Cisco Security Advisory: Cisco UCS Manager Software Stored Cross-Site Scripting Vulnerability

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./UCS Manager Softwarellm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-xss-Ey6XhyPSnvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000