Cisco Duo Self-Service Portal Command Injection Vulnerability

A vulnerability in the self-service portal of Cisco Duo could allow an unauthenticated, remote attacker to inject arbitrary commands into emails that are sent by the service.<br><br>
This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by injecting arbitrary commands into a portion of an email that is sent by the service. A successful exploit could allow the attacker to send emails that contain malicious content to unsuspecting users.<br><br>

Cisco Duo has addressed this vulnerability in the service, and no customer action is necessary to update on-premises software or devices. There are no workarounds that address this vulnerability.<br><br>
This advisory is available at the following link:<br><a href=”https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-ssp-cmd-inj-RCmYrNA”>https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-ssp-cmd-inj-RCmYrNA</a><br><br>

<br/>Security Impact Rating: Medium

<br/>CVE: CVE-2025-20258Cisco Security AdvisoryRead More