CVE-2026-20075 is a stored cross-site scripting (XSS) vulnerability identified in the web-based management interfaces of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure. The root cause is improper neutralization of user-supplied input during web page generation, allowing malicious script code to be injected into specific data fields within the interface. When other users access the affected interface pages, the malicious scripts execute in their browsers, potentially compromising session tokens, cookies, or other sensitive information accessible via the browser context. Exploitation requires the attacker to have valid administrative credentials, indicating a high privilege requirement. The vulnerability spans a wide range of product versions, from early releases (1.x) through recent versions (8.x), indicating a long-standing issue. The CVSS 3.1 base score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, and user interaction needed. The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component. No public exploit code or active exploitation has been reported to date. The vulnerability could facilitate further attacks such as session hijacking, privilege escalation, or unauthorized access to sensitive management functions if exploited successfully. Cisco has not yet published official patches or mitigations at the time of this report, emphasizing the need for immediate risk management by affected organizations.

For European organizations, this vulnerability poses a moderate risk primarily due to the requirement for administrative credentials and user interaction. However, given that Cisco EPNM and Prime Infrastructure are widely used for network management and monitoring in large enterprises and service providers, exploitation could lead to unauthorized access to sensitive network management data, session hijacking, or manipulation of network configurations. This could disrupt network operations, compromise confidentiality of network topology and device configurations, and potentially facilitate lateral movement within the network. The impact is particularly significant for critical infrastructure sectors such as telecommunications, finance, and government entities in Europe that rely heavily on Cisco network management solutions. Additionally, the vulnerability could be leveraged in targeted attacks against high-value assets, increasing the risk of espionage or sabotage. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in environments with weak credential management or insufficient access controls.

1. Enforce strict administrative access controls: Limit the number of users with administrative privileges and implement multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Monitor and audit administrative activities within Cisco EPNM and Prime Infrastructure to detect suspicious behavior indicative of exploitation attempts. 3. Apply input validation and output encoding best practices where possible, including reviewing custom scripts or integrations that interact with the management interface. 4. Segregate network management interfaces from general user networks using network segmentation and firewall rules to reduce exposure. 5. Regularly update and patch Cisco EPNM and Prime Infrastructure as soon as official fixes become available from Cisco. 6. Educate administrators about the risks of XSS and the importance of not clicking on suspicious links or executing untrusted scripts within the management interface. 7. Employ web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting the management interface. 8. Conduct periodic security assessments and penetration testing focused on the management interface to identify and remediate any residual input validation issues.