A vulnerability has been discovered in the web UI of Cisco Catalyst SD-WAN Manager that could allow an authenticated, remote attacker to create or overwrite any file on the system. This vulnerability exists due to the software's failure to properly validate user-supplied input during a file upload process. An attacker can exploit this vulnerability by sending a crafted HTTP request to the affected API endpoint. To successfully exploit the vulnerability, the attacker must have valid credentials with at least a lower-privileged user account. The attacker could use this vulnerability to create or overwrite any file on the underlying operating system, potentially using it to elevate to root access. Cisco has released software updates to address this vulnerability, but there are no available workarounds. The vulnerability is rated as medium on the security impact scale. The advisory for this vulnerability is available on Cisco's security center website. The CVE number for this vulnerability is CVE-2026-20262, and more information can be found at the provided link. The release of software updates by Cisco aims to mitigate the risk associated with this vulnerability and prevent potential attacks.

A high-severity vulnerability, CVE-2026-20245, has been identified in the CLI of Cisco Catalyst SD-WAN Manager. This flaw allows an authenticated, local attacker with netadmin privileges to execute arbitrary commands as root. The vulnerability stems from insufficient validation of user-supplied input, enabling command injection attacks. An attacker could exploit this by uploading a crafted file to the system. Cisco is aware of limited instances where exploitation led to configuration changes on edge devices. There are currently no workarounds available for this vulnerability. Cisco has not yet released software updates to address the issue. They recommend customers upgrade to a fixed software release documented in their advisory. Before upgrading, it is crucial to collect admin-tech files from control components for forensic analysis. After upgrading, customers should verify system integrity by checking logs for indicators of compromise. If compromise is confirmed, Cisco TAC will provide further remediation steps.

A critical vulnerability exists in Cisco Unified Communications Manager and its Session Management Edition. This flaw allows an unauthenticated, remote attacker to perform server-side request forgery (SSRF) attacks. The vulnerability stems from improper input validation within specific HTTP requests. Attackers can exploit this by sending a specially crafted HTTP request to an affected device. Successful exploitation enables attackers to write files to the underlying operating system. These written files can subsequently be used to elevate privileges to root access. Cisco specifically rated this vulnerability as Critical due to the potential for root privilege escalation. It is important to note that exploitation requires the WebDialer service to be enabled on the affected device. WebDialer is disabled by default, which somewhat mitigates the immediate risk. Cisco has released software updates to address this security flaw. Currently, no workarounds are available for this vulnerability. The official advisory provides further details on this critical security issue.

A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, possibly leading to browser-based attacks. This vulnerability is due to insufficient validation of user-supplied input for HTTP requests that are sent to an affected device. An attacker who has knowledge of the address of the affected device could exploit this vulnerability by persuading a user to click a crafted link that contains the affected device address. A successful exploit could allow the attacker to conduct browser-based attacks and execute arbitrary script code in the context of the affected interface or access sensitive information on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-rfi-gwpkdc89 Security Impact Rating: Medium CVE: CVE-2026-20175

A vulnerability in the web-based user interface of Cisco Webex Meetings could have allowed an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. Cisco has addressed this vulnerability in the Webex Meetings service, and no customer action is needed. This vulnerability existed because of insufficient validation of user input. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to execute arbitrary script code in the browser of the targeted user or access sensitive, browser-based information. As mentioned, Cisco has addressed this vulnerability in the Webex Meetings service, and no customer action is necessary to update on-premises software or devices. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-jw3NeQzS Security Impact Rating: Medium CVE: CVE-2026-20233

A vulnerability affects Cisco Nexus 3000 and 9000 Series Switches operating in standalone NX-OS mode. The enforce-first-as feature of the Border Gateway Protocol (BGP) is implicated in this issue. An unauthenticated, remote attacker can exploit this flaw. The vulnerability stems from incorrect parsing of a transitive BGP attribute. By sending a specially crafted BGP update, an attacker can trigger BGP peer flaps. This disruption leads to a denial of service (DoS) condition. The crafted update is sent through an established BGP peer session. If an affected device receives this update, it will drop the BGP session. Consequently, the device will flap with the peer forwarding the malicious update. Cisco has released software updates to resolve this vulnerability and offers workarounds.

A vulnerability existed within the BrowserBot component of Cisco ThousandEyes Enterprise Agent, posing a security risk. This flaw could have enabled a remote attacker to execute arbitrary commands. The vulnerability stemmed from inadequate input validation of command arguments provided by the user. An attacker needed valid ThousandEyes SaaS credentials and test management capabilities to exploit this issue. Successful exploitation would have allowed command execution within the BrowserBot container. Cisco has since resolved this vulnerability within the ThousandEyes Enterprise Agent. No customer action is required to address this security issue. There are no available workarounds to mitigate the vulnerability. The security impact was rated as medium. This advisory is associated with CVE-2026-20206. The vulnerability allowed an authenticated attacker to potentially cause harm.

A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role. This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint. A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user.  Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.  This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy Security Impact Rating: Critical CVE: CVE-2026-20223

A vulnerability in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance could allow an authenticated, remote attacker to execute commands on the underlying operating system as the root user. This vulnerability is due to insufficient validation of user-supplied input. An authenticated attacker could exploit this vulnerability by uploading a crafted certificate to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit this vulnerability, the attacker must have valid administrative credentials. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tevacert-rce-RMJVEym5 Security Impact Rating: Medium CVE: CVE-2026-20199

Multiple vulnerabilities in Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow a remote attacker to gain access to sensitive information, elevate privileges, or gain unauthorized access to the application. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-mltvnps2-JxpWm7R Security Impact Rating: Critical CVE: CVE-2026-20209,CVE-2026-20210,CVE-2026-20224

A new security advisory for Cisco Catalyst SD-WAN Controller and Manager was released in May 2026, addressing a critical vulnerability. This vulnerability allows potential attackers to bypass authentication on the system. The vulnerability lies within the peering authentication mechanism of the SD-WAN controller. An unauthenticated attacker could send crafted requests to exploit this flaw. Successful exploitation grants the attacker administrative privileges as a high-privileged non-root user. This compromised account allows access to NETCONF, enabling manipulation of network configurations. Cisco has issued software updates to resolve this vulnerability, with no available workarounds. Customers are advised to gather diagnostic information before upgrading their systems. The advisory provides guidance on identifying potential compromises using "Show Control Connections". Users should upgrade their software as soon as possible after collecting necessary information. This vulnerability is rated as critical and is identified by CVE-2026-20182.

Multiple vulnerabilities in Cisco Unity Connection could allow a remote attacker to execute arbitrary code on or conduct server-side request forgery (SSRF) attacks through an affected device. For more information about these vulnerabilities, see the Details section of this advisory.  Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-rce-ssrf-hENhuASy Security Impact Rating: High CVE: CVE-2026-20034,CVE-2026-20035

Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow a remote attacker to bypass authorization mechanisms or examine error messages to gain access to sensitive information on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-bypass-uxjRXGpb Security Impact Rating: Medium CVE: CVE-2026-20193,CVE-2026-20195

A vulnerability in the log file download functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to download arbitrary log files from the server. This vulnerability is due to insufficient authorization checks on the download service API. An attacker could exploit this vulnerability by submitting a crafted URL request to an affected device. A successful exploit could allow the attacker to download sensitive log files that they would otherwise not have authorization to access. To exploit this vulnerability, the attacker must have valid credentials to access the web-based management interface of the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-unauth-infodiscl-LFnLgmey Security Impact Rating: Medium CVE: CVE-2026-20189

A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed because of the presence of an insecure direct object reference. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by sending a crafted request to the vulnerable API endpoint. A successful exploit could have allowed the attacker to view the social profiles of other users or affect quiz and poll results. As mentioned, Cisco has addressed this vulnerability in the Slido service, and no customer action is necessary to update on-premises software or devices. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-slido-idor-CpsFmKxN Security Impact Rating: Medium CVE: CVE-2026-20219

Multiple vulnerabilities in the web-based management interface of Cisco IoT Field Network Director Software could allow an authenticated, remote attacker to access files, execute commands, and cause denial of service (DoS) conditions on managed routers. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iot-fnd-dos-n8N26Q4u Security Impact Rating: High CVE: CVE-2026-20167,CVE-2026-20168,CVE-2026-20169

A vulnerability exists in Cisco Enterprise Chat and Email (ECE)'s Lite Agent feature. This flaw could allow a remote attacker with valid agent credentials to launch browser-based attacks. The vulnerability stems from insufficient validation of files uploaded during file upload. An attacker could exploit this by uploading a file containing malicious scripts or HTML code. When accessed by other users, this malicious code would execute in their browsers. This could allow an attacker to perform browser-based attacks on other users. Cisco has released software updates to patch this vulnerability. There are no available workarounds to mitigate the risks. A Cisco Security Advisory details the vulnerability. The security impact is rated as Medium, and the CVE assigned is CVE-2026-20172.

A vulnerability exists in the SNMP subsystem of Cisco SG350 and SG350X switches. This vulnerability stems from inadequate error handling within the firmware when processing SNMP response data. An authenticated, remote attacker can exploit it by sending a specific SNMP request. Successfully exploiting this leads to an unexpected device reload, causing a denial of service. The vulnerability impacts SNMP versions 1, 2c, and 3. Exploitation requires either appropriate community strings (for v2c and earlier) or valid SNMP credentials (for v3). Cisco will not release software updates for these affected products due to their end-of-life status. PSIRT will continue to assess and disclose vulnerabilities until the end of support. No workarounds are available, but mitigation options may exist. The security impact is rated as high. This advisory is associated with CVE-2026-20185.

Cisco CNC and NSO are affected by a security vulnerability related to their connection handling. This flaw stems from a deficient rate-limiting mechanism for incoming network connections. An attacker can exploit this by flooding the system with numerous connection requests. This action can deplete the available connection resources. This would ultimately lead to Cisco CNC and NSO becoming unresponsive. The result is a denial-of-service (DoS) for legitimate users and reliant services. A system reboot is necessary to restore functionality after such an attack. Cisco has issued software updates to resolve this vulnerability. There are no available workarounds to mitigate this issue. The security impact of this vulnerability is rated as High. The vulnerability is tracked under CVE-2026-20188.

A vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic. This vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches. An attacker with an on-path position between the ACI sites could exploit this vulnerability by intercepting intersite encrypted traffic and using cryptanalytic techniques to break the encryption. A successful exploit could allow the attacker to read or modify the traffic that is transmitted between the sites. Cisco has deprecated and removed the ACI Multi-Site CloudSec encryption feature that is affected by this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX Security Impact Rating: High CVE: CVE-2023-20185

CISA updated Emergency Directive 25-03 on April 23, 2026, concerning potential compromises of Cisco devices. The update focuses on Cisco Secure Firewall ASA and FTD products. The ArcaneDoor threat actor developed a new persistence mechanism. This persistence survives upgrades to fixed releases from September 2025. This mechanism is located within the FXOS software. Initial compromise exploited vulnerabilities present before the September 2025 fixes. These vulnerabilities included CVE-2025-20333 and CVE-2025-20362. The September 2025 Cisco Event Response details the fixed releases. The advisory provides further details about the ongoing threat and associated vulnerabilities. The provided link gives access to the Cisco advisory. The security impact of this advisory is rated as informational.

A vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requirements. This vulnerability is due to improper validation of user-supplied authentication input in HTTP requests. An attacker could exploit this vulnerability by sending HTTP requests that contain specific authentication requests to an affected device. A successful exploit could allow the attacker to bypass policy enforcement on the device. There is no direct impact to the Cisco Secure Web Appliance. However, as a result of exploiting this vulnerability, an attacker could send HTTP requests that should be restricted through the device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wsa-auth-bypass-6YZkTQhd Security Impact Rating: Medium CVE: CVE-2026-20152

Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials.  These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-file-download-RmKEVWPx Security Impact Rating: Medium CVE: CVE-2026-20078,CVE-2026-20081

Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to achieve remote code execution or conduct path traversal attacks on an affected device. To exploit these vulnerabilities, the attacker must have valid administrative credentials. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-traversal-8bYndVrZ Security Impact Rating: Critical CVE: CVE-2026-20147,CVE-2026-20148

Multiple vulnerabilities in Cisco Unity Connection could allow a remote attacker to conduct a cross-site scripting (XSS) attack, an open redirect attack, and an SQL injection attack. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-vulns-n2EJSbbw Security Impact Rating: Medium CVE: CVE-2026-20059,CVE-2026-20060,CVE-2026-20061

A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer action is needed. This vulnerability existed because HTML and script content was not properly handled. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to steal sensitive information from the browser, including authentication and session information. As mentioned, Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer action is necessary to update on-premises software or devices. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webexcc-xss-WEX5nUnA Security Impact Rating: Medium CVE: CVE-2026-20170

A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. This vulnerability existed because of improper certificate validation. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by connecting to a service endpoint and supplying a crafted token. A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services. Cisco has addressed this vulnerability in the Cisco Webex service. However, customer action is necessary for affected organizations that are using SSO integration. There are no workarounds that address this vulnerability. To avoid service interruption, customers who are using SSO should upload a new identity provider (IdP) SAML certificate to Control Hub. For more information, see Manage single sign-on integration in Control Hub. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-cui-cert-8jSZYhWL Security Impact Rating: Critical CVE: CVE-2026-20184

A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-agentfilewrite-tqUw3SMU Security Impact Rating: Medium CVE: CVE-2026-20161

Cisco ISE is affected by multiple vulnerabilities that enable remote command execution. An authenticated attacker with minimal Read Only Admin credentials can exploit them. These vulnerabilities stem from inadequate input validation within the system. Attacks involve sending specifically crafted HTTP requests to the target device. Successful exploitation grants the attacker user-level access, potentially leading to root privilege escalation. Single-node deployments could suffer a denial-of-service (DoS) condition if exploited, blocking endpoint network access. Cisco has issued software updates to resolve the security flaws. There are no available workarounds to mitigate these vulnerabilities. The security advisory provides details at a specific URL. The vulnerabilities are rated as critical in terms of security impact. The vulnerabilities are identified by the CVE identifiers CVE-2026-20180 and CVE-2026-20186.

Cisco ISE's web interface contained multiple security flaws allowing attacks. These vulnerabilities stem from insufficient sanitization of user data within the interface. Specifically, authenticated remote attackers with administrative write privileges could exploit stored or reflected cross-site scripting (XSS) attacks. An attacker could trick a user into clicking a malicious link or viewing a compromised page. The XSS attacks could execute scripts within the management interface or steal browsing data. Cisco has released software updates to fix these XSS vulnerabilities in ISE. No workarounds are available to mitigate these risks. The severity of these flaws is classified as medium risk by Cisco. The linked security advisory provides complete details. The identified CVE for these issues is CVE-2026-20132.

A vulnerability in the CLI of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, local attacker with administrative privileges to perform a command injection attack on the underlying operating system and elevate privileges to root. This vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by providing crafted input to a specific CLI command. A successful exploit could allow the attacker to elevate their privileges to root on the underlying operating system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-cmd-inj-5WSJcYJB Security Impact Rating: Medium CVE: CVE-2026-20136

Multiple vulnerabilities in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to execute arbitrary code or commands on the underlying operating system of an affected system and elevate privileges to root. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-3hKN3bVt Security Impact Rating: High CVE: CVE-2026-20094,CVE-2026-20095,CVE-2026-20096,CVE-2026-20097

A vulnerability in Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by persuading an authenticated user of the device management interface to click a crafted link. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device to an attacker-controlled server. The attacker could then execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nd-ssrf-NAen4O7r Security Impact Rating: Medium CVE: CVE-2026-20041

A vulnerability in the web interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to the improper transmission of sensitive user information. An attacker could exploit this vulnerability by sending a crafted message to an affected Cisco SSM On-Prem host and retrieving session credentials from subsequent status messages. A successful exploit could allow the attacker to elevate privileges on the affected system from low to administrative. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of System User. Note: This vulnerability exposes information only about users who logged in to the Cisco SSM On-Prem host using the web interface and who are currently logged in. SSH sessions are not affected. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-priv-esc-xRAnOuO8 Security Impact Rating: High CVE: CVE-2026-20151

Multiple vulnerabilities in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow a remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-xss-A2tkgVAB Security Impact Rating: Medium CVE: CVE-2026-20085,CVE-2026-20087,CVE-2026-20088,CVE-2026-20089,CVE-2026-20090

A vulnerability in Cisco Nexus Dashboard's configuration backup feature poses a security risk. Attackers can exploit this if they possess the encryption password and access to backup files. The core issue lies in the inclusion of authentication details within these encrypted backup files. With a compromised backup file and the correct password, an attacker can decrypt the data. This decryption reveals authentication details from the affected device. Using these stolen credentials, the attacker can then access internal-only APIs. The ultimate impact of a successful exploit is the ability to remotely execute arbitrary operating system commands as the root user. Cisco has issued software updates to patch this vulnerability. Unfortunately, no workarounds are available to mitigate this specific threat. The implicated vulnerability is tracked under CVE-2026-20042 and has a Medium security impact rating.

A vulnerability exists in Cisco Nexus Dashboard Insights' Metadata update feature. This flaw stems from inadequate validation of the metadata update file. An authenticated, remote attacker could exploit this by uploading a specially crafted file. Successful exploitation allows the attacker to write arbitrary files to the system. The attacker would gain root user privileges on the underlying operating system. Crucially, the attacker needs valid administrative credentials to perform this exploit. While manual uploads are common in air-gapped setups, the option exists in both deployments. Cisco has released software updates to fix this vulnerability. There are no available workarounds to mitigate this issue. This vulnerability is tracked as CVE-2026-20174 and has a Medium security impact rating.

A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker with low privileges to access sensitive information that they are not authorized to access. This vulnerability is due to improper authorization checks on a REST API endpoint of an affected device. An attacker could exploit this vulnerability by querying the affected endpoint. A successful exploit could allow the attacker to view session information of active Cisco EPNM users, including users with administrative privileges, which could result in the affected device being compromised. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-epnm-improp-auth-mUwFWUU3 Security Impact Rating: High CVE: CVE-2026-20155

A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin. This vulnerability is due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn Security Impact Rating: Critical CVE: CVE-2026-20093

A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. This vulnerability is due to the unintentional exposure of an internal service. An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-cli-execution-cHUcWuNr Security Impact Rating: Critical CVE: CVE-2026-20160

A vulnerability in the HTTP Server feature of Cisco IOS Software and Cisco IOS XE Software Release 3E could allow an authenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending malformed HTTP requests to an affected device. A successful exploit could allow the attacker to cause a watchdog timer to expire and the device to reload, resulting in a DoS condition. To exploit this vulnerability, the attacker must have a valid user account. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-http-dos-sbv8XRpL This advisory is part of the March 2026 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2026 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Security Impact Rating: High CVE: CVE-2026-20125

A vulnerability in Cisco IOS XE Software for Cisco Meraki could allow a remote, unauthenticated attacker to view confidential device information. This vulnerability is due to a device configuration upload being performed over an insecure tunnel. An attacker could exploit this vulnerability by conducting an on-path attack between the affected device and the Cisco Meraki Dashboard. A successful exploit could allow the attacker to view sensitive device configuration information. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe_infodis-6J847uEB This advisory is part of the March 2026 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2026 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Security Impact Rating: Medium CVE: CVE-2026-20115

A vulnerability in the bootloader of Cisco IOS XE Software for Cisco Catalyst 9200 Series Switches, Cisco Catalyst ESS9300 Embedded Series Switches, Cisco Catalyst IE9310 and IE9320 Rugged Series Switches, and Cisco IE3500 and IE3505 Rugged Series Switches could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute arbitrary code at boot time and break the chain of trust. This vulnerability is due to insufficient validation of software at boot time. An attacker could exploit this vulnerability by manipulating the loaded binaries on an affected device to bypass some of the integrity checks that are performed during the boot process. A successful exploit could allow the attacker to execute code that bypasses the requirement to run Cisco-signed images. Cisco has assigned this security advisory a Security Impact Rating (SIR) of High rather than Medium as the score indicates because this vulnerability allows an attacker to bypass a major security feature of a device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xe-secureboot-bypass-B6uYxYSZ This advisory is part of the March 2026 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2026 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Security Impact Rating: High CVE: CVE-2026-20104

A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition.  This vulnerability is due to improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utilization. This makes the device unreachable (either through console or remote management) and unable to forward traffic, resulting in a DoS condition.  Note: This vulnerability can be exploited with either unicast or broadcast BOOTP packets. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootp-WuBhNBxA This advisory is part of the March 2026 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2026 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Security Impact Rating: High CVE: CVE-2026-20084

A vulnerability in the processing of Control and Provisioning of Wireless Access Points (CAPWAP) packets of Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of a malformed CAPWAP packet. An attacker could exploit this vulnerability by sending a malformed CAPWAP packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload unexpectedly, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-dos-hnX5KGOm This advisory is part of the March 2026 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2026 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Security Impact Rating: High CVE: CVE-2026-20086

A vulnerability in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-xss-LpGkzwtJ This advisory is part of the March 2026 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2026 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Security Impact Rating: Medium CVE: CVE-2026-20112

A vulnerability in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack against a user. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by sending crafted packets to an affected device. A successful exploit could allow the attacker to arbitrarily inject log entries, manipulate the structure of log files, or obscure legitimate log events. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iox-crlf-NvgKTKJZ This advisory is part of the March 2026 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2026 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Security Impact Rating: Medium CVE: CVE-2026-20113

A vulnerability in the web-based management interface of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of the web-based management interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanage-xss-ZqkhP9W9 Security Impact Rating: Medium CVE: CVE-2026-20108

A vulnerability in the TLS library of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to exhaust the available memory of an affected device. This vulnerability is due to improper management of memory resources during TLS connection setup. An attacker could exploit this vulnerability by repeatedly triggering the conditions that cause the memory increase. This could be done in a variety of ways, such as by repeatedly attempting Extensible Authentication Protocol (EAP) authentication when local EAP is enabled on an affected device or by using a machine-in-the-middle attack and resetting TLS connections between the affected device and other devices. A successful exploit could allow the attacker to exhaust the available memory on an affected device, resulting in an unexpected reload and a denial of service (DoS) condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-tls-dos-TVgLDEZL This advisory is part of the March 2026 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2026 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Security Impact Rating: High CVE: CVE-2026-20004

A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability exists because incorrect privileges are associated with the start maintenance command. An attacker could exploit this vulnerability by accessing the management CLI of the affected device as a low-privileged user and using the start maintenance command. A successful exploit could allow the attacker to put the device in maintenance mode, which shuts down interfaces, resulting in a denial of service (DoS) condition. In case of exploitation, a device administrator can connect to the CLI and use the stop maintenance command to restore operations. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-mntc-dos-LZweQcyq This advisory is part of the March 2026 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2026 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Security Impact Rating: Medium CVE: CVE-2026-20110