Cisco Duo Self-Service Portal Command Injection Vulnerability
TL;DR 📌
A command injection vulnerability has been identified in the Cisco Duo Self-Service Portal, allowing unauthenticated remote attackers to inject arbitrary commands into emails sent by the service. Cisco has addressed this issue, and no customer action is necessary.
What happened 🕵️♂️
A vulnerability in the self-service portal of Cisco Duo could allow an unauthenticated, remote attacker to inject arbitrary commands into emails sent by the service. This is due to insufficient input validation. A successful exploit could enable attackers to send emails containing malicious content to unsuspecting users.
Affected products 🖥️
This vulnerability affects the Cisco Duo self-service portal, which is cloud-based.
Fixed software 🔧
Upgrade to at least the first fixed release in your train (or later):
| Product / Release Train | First Fixed Release | Notes |
|---|---|---|
| ISE / ISE-PIC 1.0 | Initial public release. |
Workarounds 🧯
There are no workarounds that address this vulnerability.
Risk in context 🎯
The highest CVSS score for this vulnerability is 5.4, categorized as MEDIUM severity. While this indicates a moderate risk, the lack of required action from customers mitigates immediate concerns.
Fast facts ⚡
- Vulnerability ID: CVE-2025-20258
- CVSS Score: 5.4 (MEDIUM)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
- Exploitation Awareness: No public announcements or malicious use reported.
For leadership 🧭
The Cisco Duo Self-Service Portal command injection vulnerability poses a moderate risk but has been resolved by Cisco. No action is required from users, making it essential to stay informed about such advisories to maintain security posture. For further information, customers can reach out to the Cisco Technical Assistance Center (TAC) or their maintenance providers.