Medium severity4.8NVD Advisory· Published Oct 1, 2025· Updated Apr 15, 2026

CVE-2025-20361

Description

A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.

This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in Cisco Unified CM allows authenticated admins to inject malicious scripts, leading to arbitrary code execution or data access.

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) due to improper validation of user-supplied input [1].

Exploitation

Conditions

An authenticated remote attacker with valid administrative credentials can exploit this vulnerability by injecting malicious code into specific pages of the interface [1]. No other privileges or user interaction are required beyond the administrative access.

Impact

Successful exploitation allows the attacker to execute arbitrary script code in the context of the affected interface or access sensitive browser-based information [1]. This could lead to further compromise of the system or exposure of confidential data.

Mitigation

Cisco has released software updates to address this vulnerability. No workarounds are available [1]. Administrators are advised to apply the fixed software as indicated in the advisory.

References

Cisco Security Advisory: Cisco Unified Communications Manager Stored Cross-Site Scripting Vulnerability

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Cisco Systems, Inc./Unified Communications Managerllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-stored-xss-Fnj66YLynvd

News mentions

No linked articles in our index yet.

cvss	0.312
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000