Privilege Escalation in Cisco IOS Device Manager via Authenticated HTTP
CVE-2025-20164 Published on May 7, 2025

A vulnerability in the Cisco Industrial Ethernet Switch Device Manager (DM) of Cisco IOS Software could allow an authenticated, remote attacker to elevate privileges. This vulnerability is due to insufficient validation of authorizations for authenticated users. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to elevate privileges to privilege level 15. To exploit this vulnerability, the attacker must have valid credentials for a user account with privilege level 5 or higher. Read-only DM users are assigned privilege level 5.

NVD

Vulnerability Analysis

CVE-2025-20164 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity and availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

HIGH

Availability Impact:

HIGH

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2025-20164 has been classified to as an AuthZ vulnerability or weakness.

Products Associated with CVE-2025-20164

Want to know whenever a new CVE is published for Cisco Internetwork Operating System (IOS)? stack.watch will email you.

Cisco Internetwork Operating System (IOS)

Affected Versions

Cisco IOS:

Version 15.0(2)SE8 is affected.
Version 15.0(2)EA is affected.
Version 15.0(2)EA1 is affected.
Version 15.2(2)E is affected.
Version 15.2(2)E1 is affected.
Version 15.2(3)E1 is affected.
Version 15.2(2)E2 is affected.
Version 15.2(2)E3 is affected.
Version 15.2(2a)E2 is affected.
Version 15.2(3)E2 is affected.
Version 15.2(3)E3 is affected.
Version 15.2(2)E4 is affected.
Version 15.2(2)E5 is affected.
Version 15.2(3)E4 is affected.
Version 15.2(5)E is affected.
Version 15.2(2)E6 is affected.
Version 15.2(5)E1 is affected.
Version 15.2(2)E5a is affected.
Version 15.2(5a)E1 is affected.
Version 15.2(2)E7 is affected.
Version 15.2(5)E2 is affected.
Version 15.2(6)E is affected.
Version 15.2(5)E2c is affected.
Version 15.2(2)E8 is affected.
Version 15.2(6)E0a is affected.
Version 15.2(6)E1 is affected.
Version 15.2(6)E0c is affected.
Version 15.2(2)E9 is affected.
Version 15.2(7)E is affected.
Version 15.2(2)E10 is affected.
Version 15.2(6)E2a is affected.
Version 15.2(7)E0b is affected.
Version 15.2(7)E0s is affected.
Version 15.2(6)E3 is affected.
Version 15.2(7)E2 is affected.
Version 15.2(7)E3 is affected.
Version 15.2(7)E1a is affected.
Version 15.2(7)E4 is affected.
Version 15.2(8)E is affected.
Version 15.2(8)E1 is affected.
Version 15.2(7)E5 is affected.
Version 15.2(7)E6 is affected.
Version 15.2(8)E2 is affected.
Version 15.2(7)E7 is affected.
Version 15.2(8)E3 is affected.
Version 15.2(7)E8 is affected.
Version 15.2(8)E4 is affected.
Version 15.2(7)E9 is affected.
Version 15.2(8)E5 is affected.
Version 15.2(8)E6 is affected.
Version 15.2(7)E10 is affected.
Version 15.2(7)E11 is affected.
Version 15.2(1)EY is affected.
Version 15.0(2)EK is affected.
Version 15.0(2)EK1 is affected.
Version 15.2(2)EB is affected.
Version 15.2(2)EB1 is affected.
Version 15.2(2)EB2 is affected.
Version 15.2(6)EB is affected.
Version 15.2(2)EA is affected.
Version 15.2(2)EA2 is affected.
Version 15.2(3)EA is affected.
Version 15.2(4)EA is affected.
Version 15.2(4)EA1 is affected.
Version 15.2(2)EA3 is affected.
Version 15.2(4)EA4 is affected.
Version 15.2(4)EA5 is affected.
Version 15.2(4)EA6 is affected.
Version 15.2(4)EA7 is affected.
Version 15.2(4)EA8 is affected.
Version 15.2(4)EA9 is affected.
Version 15.2(4)EA9a is affected.
Version 15.2(4)EC1 is affected.
Version 15.2(4)EC2 is affected.
Version 15.3(3)JPU is affected.

Exploit Probability

EPSS

0.38%

Percentile

59.09%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.