Cisco IMC Virtual Keyboard Vulnerability Allows Attackers to Redirect Users to Malicious Websites

Cisco has released urgent security updates to remediate a high-severity vulnerability in its Integrated Management Controller (IMC) virtual keyboard video monitor (vKVM) module that could allow unauthenticated, remote attackers to hijack sessions and redirect users to malicious websites.

The flaw, tracked as CVE-2025-20317, carries a CVSS base score of 7.1 and affects a wide range of Cisco UCS servers, appliances, and Catalyst uCPE platforms.

No workarounds exist, making prompt patching critical to prevent credential theft and targeted phishing campaigns.

Vulnerability Details and Attack Scenario

The vulnerability stems from insufficient validation of vKVM endpoints within the Cisco IMC interface. When a user accesses the remote console through the vKVM client, specially crafted links can exploit the weakness and redirect the user to an attacker-controlled site.

Because the redirect occurs within the trusted IMC management session, victims may be unaware they have left the legitimate interface.

Once redirected, attackers ...