Vulnerabilidade de Escalada de Privilégios no Cisco Catalyst Center

Successful exploitation of CVE-2025-20346 allows an attacker to bypass role-based access controls (RBAC) and modify policy configurations intended only for administrators. This could lead to significant disruptions in network management, unauthorized policy enforcement, and potential compromise of network devices managed by Cisco DNA Center. The attacker's ability to alter critical configurations without proper authorization represents a serious security risk, potentially enabling them to manipulate network behavior and gain further access.

Organizations heavily reliant on Cisco DNA Center for network management and automation are particularly at risk. Environments with a large number of read-only users or those with relaxed access control policies are also more vulnerable. Shared hosting environments utilizing Cisco DNA Center should be carefully assessed and secured.

• linux / server:

journalctl -u cisco-dna-center | grep -i "role-based access control"

• generic web:

curl -I <dna_center_ip>/api/policy/configurations | grep -i "administrator privileges"

1. 2025-11-13Disclosure

   disclosure

1. Reservado2024-10-10
2. Publicada2025-11-13
3. Modificada2026-02-26
4. EPSS atualizado2026-03-23

The primary mitigation for CVE-2025-20346 is to upgrade Cisco DNA Center to a patched version as soon as it becomes available. Until a patch is applied, consider implementing stricter access controls to limit the scope of actions that read-only users can perform. Review existing policy configurations and monitor for any unauthorized modifications. While a direct WAF rule is unlikely to prevent this, segmenting network access to DNA Center can reduce the attack surface. After upgrade, confirm by verifying that users with read-only credentials can no longer modify administrator-reserved policy configurations.