Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: A high-severity vulnerability in Cisco IMC (UCS B/C/S/X-Series) allows authenticated remote attackers to obtain elevated privileges through crafted SSH syntax. Patch immediately!
Image
Published : 10/06/2025
- Last update: 06/06/2025
- Affected software: Cisco Integrated Management Controller (IMC) for Cisco UCS B-Series, UCS C-Series, UCS S-Series, and UCS X-Series Servers
- Type:
→ Improper Restriction of Communication Channel to Intended Endpoints- CVE/CVSS:
→ CVE-2025-20261: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Sources
Risks
Successful exploitation of this vulnerability in various versions of the Cisco Integrated Management Controller (IMC) could enable an authenticated remote attacker to gain access to internal services with elevated privileges.
This vulnerability significantly impacts confidentiality, integrity, and availability.
There is no evidence that a public proof-of-concept is in existence. Additionally, there is currently no evidence of active exploitation.
Description
When a user with valid (but limited) credentials connects via SSH using specially crafted syntax, the system fails to restrict access to internal services properly. This allows the attacker to bypass intended permission boundaries and interact with privileged functions.
By exploiting this vulnerability, a threat actor can:
- Authenticate with valid but limited credentials via SSH to the Cisco IMC interface.
- Use crafted SSH syntax to bypass internal restrictions and access privileged internal services.
- Escalate privileges, gaining access beyond what their account should allow.
- Modify system configurations or services not accessible to non-admin users.
- Create new administrator accounts, enabling long-term control of the device.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. Cisco has released software updates that address this vulnerability. There are no workarounds available.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.