Cisco disclosed a high-severity open redirect vulnerability in the Virtual Keyboard Video Monitor (vKVM) component of its Integrated Management Controller (IMC).
Tracked as CVE-2025-20317 with a CVSS 3.1 base score of 7.1, the vulnerability could enable an unauthenticated remote attacker to redirect administrators or users of affected devices to malicious websites, potentially capturing credentials through phishing or other social-engineering methods.
The vulnerability stems from insufficient endpoint verification in the vKVM connection handling code. When a user clicks a specially crafted link, the vKVM client fails to properly validate the redirection target, allowing an attacker to point the user to an arbitrary URL.
Because the IMC UI is often used for sensitive system management tasks, compromise of IMC credentials could lead to broader compromise of Cisco UCS infrastructure.
Notably, the affected vKVM client is shared across both Cisco IMC and UCS Manager, widening the scope of devices at risk.
Affected Products
Any Cisco product exposing the IMC UI with a vulnerable vKVM release is impacted. Key affected platforms include:
- UCS B-Series Blade Servers and X-Series Modular Systems.
- UCS C-Series M6, M7, M8, and E-Series M6 Rack and Edge Servers.
- Catalyst 8300 Series Edge uCPE.
- All Cisco appliances are built on preconfigured C-Series servers, such as APIC, DNA Center, HyperFlex, Nexus Dashboard, Secure Endpoint Private Cloud, Secure Firewall Management Center, and several others.
Cisco has enumerated dozens of appliance families in its advisory. Only devices running fixed IMC firmware or UCS Manager software versions are safe; earlier releases remain vulnerable.
Cisco reports that there are no workarounds available to mitigate CVE-2025-20317. Administrators must apply the security fixes released in free software updates.
Affected customers with valid service contracts should download patched firmware via the Cisco Support and Downloads portal. Those without active contracts may contact Cisco TAC, referencing Advisory ID cisco-sa-ucs-vkvmorv-CnKrV7HK, to obtain critical fixes at no additional cost.
Fixed Releases
The advisory provides comprehensive tables detailing fixed firmware and software releases for each product line. Highlights include:
- Cisco UCS Manager Software: Updates in 4.2 and above (4.2(3p), 4.3(6a)).
- Cisco IMC on Catalyst 8300 (NFVIS): Auto-upgrade to NFVIS 4.18.1 or later.
- UCS C-Series and E-Series Servers: Fixed IMC releases beginning with 4.2(3o) and 4.15.2, respectively.
- Intersight-Managed Servers: Firmware 5.3(0.250001) and above for B-Series and X-Series.
Appliance-specific remediation steps, such as applying ISO firmware updates for the Telemetry Broker or using the Cisco Host Upgrade Utility, are also outlined.
Although Cisco has not detected any public exploitation of this vulnerability, the ease of exploitation and the sensitive nature of management interfaces make prompt remediation imperative. Organizations relying on Cisco UCS infrastructure should:
- Inventory all devices running Cisco IMC or UCS Manager.
- Determine current firmware/software versions against the advisory’s fixed-release matrix.
- Schedule immediate upgrades to patched versions.
- Review administrative procedures to ensure users avoid clicking untrusted links.
Because stolen credentials from IMC access can facilitate lateral movement and compromise of server workloads, applying updates without delay will close this vector before attackers can weaponize it.
CVE-2025-20317 underscores the persistent risk posed by insecure redirection in critical management interfaces. With no feasible workarounds, the sole remedy is the rapid deployment of software updates.
Cisco’s advisory provides the necessary guidance, and customers must act swiftly to safeguard UCS environments from credential-harvesting attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
