CVE-2025-20317

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

A

vulnerability in the Virtual Keyboard Video Monitor (vKVM) connection handling of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to redirect a user to a malicious website. This vulnerability is due to insufficient verification of vKVM endpoints. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious webpage and potentially capture user credentials. Note: The affected vKVM client is also included in Cisco UCS Manager.

References

Link	Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-vkvmorv-CnKrV7HK

Configurations

No configuration.

History

29 Aug 2025, 16:24

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-27 17:15

Updated : 2025-08-29 16:24

NVD link : CVE-2025-20317

Mitre link : CVE-2025-20317

CVE.ORG link : CVE-2025-20317

JSON object : View

Products Affected

No product.

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2025-20317", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2025-08-27T17:15:36.140", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucs-vkvmorv-CnKrV7HK", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Virtual Keyboard Video Monitor (vKVM) connection handling of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to redirect a user to a malicious website.\r\n\r\nThis vulnerability is due to insufficient verification of vKVM endpoints. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious webpage and potentially capture user credentials.\r\nNote: The affected vKVM client is also included in Cisco UCS Manager."}, {"lang": "es", "value": "Una vulnerabilidad en la gesti\u00f3n de la conexi\u00f3n de Virtual Keyboard Video Monitor (vKVM) de Cisco Integrated Management Controller (IMC) podr\u00eda permitir que un atacante remoto no autenticado redirija a un usuario a un sitio web malicioso. Esta vulnerabilidad se debe a una verificaci\u00f3n insuficiente de los endpoints vKVM. Un atacante podr\u00eda explotar esta vulnerabilidad persuadiendo al usuario a hacer clic en un enlace manipulado. Una explotaci\u00f3n exitosa podr\u00eda permitirle redirigir a un usuario a una p\u00e1gina web maliciosa y, potencialmente, obtener sus credenciales. Nota: El cliente vKVM afectado tambi\u00e9n est\u00e1 incluido en Cisco UCS Manager."}], "lastModified": "2025-08-29T16:24:09.860", "sourceIdentifier": "[email protected]"}