By rssfeeds-admin 
The flaws, identified as CVE-2025-20294 and CVE-2025-20295, affect devices running UCS Manager on several Fabric Interconnect platforms.
Both vulnerabilities stem from insufficient input validation in command arguments, creating opportunities for an attacker with administrative access to perform command injection and ultimately execute malicious activity on the underlying operating system.
Cisco has released software updates to resolve the issues and confirmed that no workarounds are available.
Details of the Vulnerabilities
The first of the two flaws, CVE-2025-20294, carries a CVSS base score of 6.5. It impacts both the command-line interface and the web-based management interface of UCS Manager.
An attacker who already has authenticated administrative privileges could exploit this weakness by submitting specially crafted input to the affected commands. Successful exploitation would allow the attacker to execute arbitrary commands with root-level privileges.
In practice, this could give the adversary complete control over the affected fabric interconnect, permitting system-level manipulation that extends beyond routine administration. The second flaw, CVE-2025-20295, has a CVSS base score of 6.0 and primarily targets the local CLI of UCS Manager.
This issue enables a local attacker with administrative credentials to read, create, or overwrite files on the system, including critical system files. Such access could undermine the integrity and stability of the operating system, offering a pathway for persistence or destructive actions.
Affected Systems and Fixes
Cisco has confirmed that the vulnerabilities affect UCS Manager deployments running on the UCS 6300, UCS 6400, UCS 6500, and the UCS X-Series Direct Fabric Interconnect 9108 100G models.
Other Cisco products, including the Firepower security appliances, MDS multilayer switches, and Nexus platforms, were explicitly excluded from being impacted. The company has provided fixed software releases for UCS Manager users.
For customers on version 4.2, the problem has been addressed in release 4.2(3p). Users of version 4.3 are protected starting with release 4.3(6c).
The newest version, release 6.0, is not vulnerable to these flaws. However, those operating on version 4.1 and earlier must migrate to supported releases, as no patches are being made available for those older editions. Cisco stresses that upgrading to a fixed release is the only available mitigation pathway.
Broader Security Implications
Although classified as medium in Cisco’s security impact rating, these vulnerabilities are concerning because they affect mission-critical data center infrastructure.
The UCS Manager is responsible for orchestrating the compute fabric across enterprise environments, and exploitation could lead to a complete administrative takeover if privileged accounts are compromised.
While Cisco’s Product Security Incident Response Team has found no evidence of public exploits or active attacks, the company urges customers to upgrade immediately to prevent any potential insider abuse or malicious escalation.
These issues underscore the ongoing importance of treating management software as a high-value target and patching core infrastructure platforms promptly.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Critical Security Flaw in Cisco UCS Manager Allows Malicious Command Injection appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.