Cisco UCS Manager Software Flaw Allows Attackers to Inject Malicious Commands

Cisco has released urgent security updates to remediate two medium-severity command injection vulnerabilities in its UCS Manager Software that could allow authenticated administrators to execute arbitrary commands and compromise system integrity.

Disclosed on August 27, 2025, the advisory (cisco-sa-ucs-multi-cmdinj-E4Ukjyrz) affects multiple UCS fabric interconnect platforms and underscores the importance of timely patching to prevent potential root-level escalation.

Vulnerabilities Expose CLI & Web to Injection Attacks

The advisory details two distinct vulnerabilities—CVE-2025-20294 and CVE-2025-20295—both stemming from insufficient input validation of user-supplied command arguments.

CVE-2025-20294 impacts both the command-line interface and the web-based management portal, enabling a remote attacker with administrative credentials to inject malicious commands.

Successful exploitation could grant root privileges on the underlying operating system, posing severe confidentiality and integrity risks.

Between these environments, the following scenarios illustrate the risk surface:

• Remote injection via the web GUI using crafted parameter strings.
• CLI injection when executing administrative ...