#VU124800 Missing authorization in Evolved Programmable Network (EPN) Manager - CVE-2026-20155
Published: April 1, 2026
Vulnerability identifier: #VU124800
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-20155
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Evolved Programmable Network (EPN) Manager
Evolved Programmable Network (EPN) Manager
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to missing authorization checks in the REST API endpoint of an affected device. A remote authenticated user can send a specially crafted HTTP request and view session information of active Cisco EPNM users, including users with administrative privileges. Extracted session information can be used to login under administrative privileges and compromise the system.
Remediation
Install updates from vendor's website.