Missing authorization in Evolved Programmable Network (EPN) Manager - CVE-2026-20155
Published: April 1, 2026
Vulnerability identifier: #VU124800
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-20155
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cisco Systems, Inc
Affected software:
Evolved Programmable Network (EPN) Manager
Evolved Programmable Network (EPN) Manager
Detailed vulnerability description
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to missing authorization checks in the REST API endpoint of an affected device. A remote authenticated user can send a specially crafted HTTP request and view session information of active Cisco EPNM users, including users with administrative privileges. Extracted session information can be used to login under administrative privileges and compromise the system.
How to mitigate CVE-2026-20155
Install updates from vendor's website.