Cisco
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Cisco product.
RSS Feeds for Cisco security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Cisco products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Cisco Sorted by Most Security Vulnerabilities since 2018
Cisco Internetwork Operating System (IOS)211 vulnerabilities
Cisco Internetwork Operating System (IOS) is a family of network operating systems used on many Cisco Systems routers and current Cisco network switches.
Recent Cisco Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-05-06 | Cisco Prime Infrastructure Information Disclosure Vulnerability | May 6, 2026 |
| 2026-05-06 | Cisco Identity Services Engine Authentication Bypass Vulnerabilities | May 6, 2026 |
| 2026-05-06 | Cisco Enterprise Chat and Email Lite Agent File Upload Vulnerability | May 6, 2026 |
| 2026-05-06 | Cisco Slido Insecure Direct Object Reference Vulnerability | May 6, 2026 |
| 2026-05-06 | Cisco Unity Connection Remote Code Execution and Server-Side Request Forgery Vulnerabilities | May 6, 2026 |
| 2026-05-06 | Cisco SG350 and SG350X Series Managed Switches SNMP Denial of Service Vulnerability | May 6, 2026 |
| 2026-05-06 | Cisco IoT Field Network Director Vulnerabilities | May 6, 2026 |
| 2026-05-06 | Cisco Crosswork Network Controller and Cisco Network Services Orchestrator Connection Exhaustion Denial of Service Vulnerability | May 6, 2026 |
| 2026-04-23 | Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense | April 23, 2026 |
| 2026-04-15 | Cisco Identity Services Engine Remote Code Execution and Path Traversal Vulnerabilities | April 15, 2026 |
Known Exploited Cisco Vulnerabilities
The following Cisco vulnerabilities have recently been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability |
Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user. CVE-2026-20128 Exploit Probability: 0.0% |
April 20, 2026 |
| Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability |
Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges. CVE-2026-20122 Exploit Probability: 1.0% |
April 20, 2026 |
| Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerabili |
Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems. CVE-2026-20133 Exploit Probability: 1.1% |
April 20, 2026 |
| Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewa |
Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. CVE-2026-20131 Exploit Probability: 1.2% |
March 19, 2026 |
| Cisco SD-WAN Path Traversal Vulnerability |
Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user. CVE-2022-20775 Exploit Probability: 0.4% |
February 25, 2026 |
| Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability |
Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affec CVE-2026-20127 Exploit Probability: 39.7% |
February 25, 2026 |
| Cisco Unified Communications Products Code Injection Vulnerability |
Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. CVE-2026-20045 Exploit Probability: 4.1% |
January 21, 2026 |
| Cisco Multiple Products Improper Input Validation Vulnerability |
Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. CVE-2025-20393 Exploit Probability: 6.8% |
December 17, 2025 |
| Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability |
Cisco IOS and IOS XE contains a stack-based buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow for denial of service or remote code execution. A successful exploit could allow a low-privileged attacker to cause the affected system to reload, resulting in a DoS condition, or allow a high-privileged attacker to execute arbitrary code as the root user and obtain full control of the affected system. CVE-2025-20352 Exploit Probability: 2.7% |
September 29, 2025 |
| Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Mis |
Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a missing authorization vulnerability. This vulnerability could be chained with CVE-2025-20333. CVE-2025-20362 Exploit Probability: 44.1% |
September 25, 2025 |
| Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buf |
Cisco Secure Firewall Adaptive Security (ASA) Appliance and Secure Firewall Threat Defense (FTD) Software VPN Web Server contain a buffer overflow vulnerability that allows for remote code execution. This vulnerability could be chained with CVE-2025-20362. CVE-2025-20333 Exploit Probability: 25.1% |
September 25, 2025 |
| Cisco Identity Services Engine Injection Vulnerability |
Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device. CVE-2025-20337 Exploit Probability: 1.0% |
July 28, 2025 |
| Cisco Identity Services Engine Injection Vulnerability |
Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device. CVE-2025-20281 Exploit Probability: 36.0% |
July 28, 2025 |
| Cisco Smart Licensing Utility Static Credential Vulnerability |
Cisco Smart Licensing Utility contains a static credential vulnerability that allows an unauthenticated, remote attacker to log in to an affected system and gain administrative credentials. CVE-2024-20439 Exploit Probability: 87.1% |
March 31, 2025 |
| Cisco Small Business RV Series Routers Command Injection Vulnerability |
Multiple Cisco Small Business RV Series Routers contains a command injection vulnerability in the web-based management interface. Successful exploitation could allow an authenticated, remote attacker to gain root-level privileges and access unauthorized data. CVE-2023-20118 Exploit Probability: 3.8% |
March 3, 2025 |
| Cisco Adaptive Security Appliance (ASA) Cross-Site Scripting (XSS) Vulnerability |
Cisco Adaptive Security Appliance (ASA) contains a cross-site scripting (XSS) vulnerability in the WebVPN login page. This vulnerability allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter. CVE-2014-2120 Exploit Probability: 69.8% |
November 12, 2024 |
| Cisco ASA and FTD Denial-of-Service Vulnerability |
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a missing release of resource after effective lifetime vulnerability that could allow an unauthenticated, remote attacker to cause a denial-of-service (DoS) of the RAVPN service. CVE-2024-20481 Exploit Probability: 11.1% |
October 24, 2024 |
| Cisco NX-OS Command Injection Vulnerability |
Cisco NX-OS contains a command injection vulnerability in the command line interface (CLI) that could allow an authenticated, local attacker to execute commands as root on the underlying operating system of an affected device. CVE-2024-20399 Exploit Probability: 0.8% |
July 2, 2024 |
| Cisco ASA and FTD Privilege Escalation Vulnerability |
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain a privilege escalation vulnerability that can allow local privilege escalation from Administrator to root. CVE-2024-20359 Exploit Probability: 0.2% |
April 24, 2024 |
| Cisco ASA and FTD Denial of Service Vulnerability |
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an infinite loop vulnerability that can lead to remote denial of service condition. CVE-2024-20353 Exploit Probability: 19.5% |
April 24, 2024 |
The vulnerability CVE-2024-20439: Cisco Smart Licensing Utility Static Credential Vulnerability is in the top 1% of the currently known exploitable vulnerabilities. 6 known exploited Cisco vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
Top 10 Riskiest Cisco Vulnerabilities
Based on the current exploit probability, these Cisco vulnerabilities are on CISA's Known Exploited vulnerabilities list (KEV) and are ranked by the current EPSS exploit probability.
| Rank | CVE | EPSS | Vulnerability |
|---|---|---|---|
| 1 | CVE-2020-3452 | 94.5% | Cisco Adaptive Security Appliance and Cisco Fire Power Threat Defense directory traversal sensitive |
| 2 | CVE-2018-0296 | 94.4% | Cisco Adaptive Security Appliance Firepower Threat Defense Denial-of-Service/Directory Traversal vul |
| 3 | CVE-2019-1653 | 94.4% | Cisco RV320 and RV325 Routers Improper Access Control Vulnerability (COVID-19-CTI list) |
| 4 | CVE-2021-1497 | 94.4% | Cisco HyperFlex HX Command Injection Vulnerabilities |
| 5 | CVE-2017-3881 | 94.3% | Cisco IOS and IOS XE Remote Code Execution Vulnerability |
| 6 | CVE-2021-1498 | 94.2% | Cisco HyperFlex HX Command Injection Vulnerabilities |
| 7 | CVE-2023-20198 | 94.0% | Cisco IOS XE Web UI Privilege Escalation Vulnerability |
| 8 | CVE-2020-3580 | 93.2% | Cisco ASA and FTD XSS Vulnerabilities |
| 9 | CVE-2016-6415 | 93.1% | Cisco IOS, IOS XR, and IOS XE IKEv1 Information Disclosure Vulnerability |
| 10 | CVE-2018-0171 | 93.0% | Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability |
By the Year
In 2026 there have been 136 vulnerabilities in Cisco with an average score of 6.5 out of ten. Last year, in 2025 Cisco had 218 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Cisco in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.17
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 136 | 6.52 |
| 2025 | 218 | 6.69 |
| 2024 | 366 | 6.74 |
| 2023 | 271 | 6.83 |
| 2022 | 323 | 6.91 |
| 2021 | 620 | 6.84 |
| 2020 | 354 | 6.85 |
| 2019 | 524 | 6.78 |
| 2018 | 373 | 7.51 |
It may take a day or so for new Cisco vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Cisco Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-20219 | May 06, 2026 |
Cisco Slido REST API IDOR leaks user social profile dataA vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed because of the presence of an insecure direct object reference. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by sending a crafted request to the vulnerable API endpoint. A successful exploit could have allowed the attacker to view the social profiles of other users or affect quiz and poll results. |
Webex Meetings
|
| CVE-2026-20034 | May 06, 2026 |
Cisco Unity Connection Authenticated RCE via API Input ValidationA vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. |
Unity Connection
|
| CVE-2026-20167 | May 06, 2026 |
DoS via web-based UI in Cisco IoT Field Network DirectorA vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to cause a DoS condition on a remotely managed router. This vulnerability is due to improper error handling. An attacker could exploit this vulnerability by submitting crafted input to the web-based management interface. A successful exploit could allow the attacker to request unauthorized files from a remote router, causing the router to reload and resulting in a DoS condition. |
|
| CVE-2026-20035 | May 06, 2026 |
CVE-2026-20035: SSRF in Cisco Unity Connection Web Inbox Web UIA vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device. |
Unity Connection
|
| CVE-2026-20169 | May 06, 2026 |
Authenticated Remote File Access & Command Exec in Cisco IoT Field Network DirectorA vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to access files and execute commands on a remote router. This vulnerability is due to insufficient input validation of user-supplied data. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to create, read, or delete files and execute limited commands in user EXEC mode on a remote router. |
|
| CVE-2026-20168 | May 06, 2026 |
CVE-2026-20168: Unauthorized File Retrieval in Cisco IoT FND Web UIA vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to retrieve files that they do not have permission to access. This vulnerability is due to insufficient file access checks. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to read files that they are not authorized to access. |
|
| CVE-2026-20172 | May 06, 2026 |
CVE-2026-20172: Authenticated File Upload in Cisco ECE Lite Agent allows XSSA vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Agent. This vulnerability is due to inadequate validation of file contents during file upload operations. An attacker could exploit this vulnerability by uploading a file that contains malicious scripts or HTML code, which the application could make available to other users to access. A successful exploit could allow the attacker to execute the contents of that file in the browser of a user and conduct browser-based attacks. |
|
| CVE-2026-20188 | May 06, 2026 |
Unauth Remote DoS via Connection Flood in Cisco CNC/NSOA vulnerability in the connection-handling mechanism of Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to an inadequate implementation of rate-limiting on incoming network connections. An attacker could exploit this vulnerability by sending a large number of connection requests to an affected system. A successful exploit could allow the attacker to exhaust available connection resources, causing Cisco CNC and Cisco NSO to become unresponsive and resulting in a DoS condition for legitimate users and dependent services. A manual reboot of the system is required to recover from this condition. |
Network Services Orchestrator
|
| CVE-2026-20189 | May 06, 2026 |
CVE-2026-20189: Cisco Prime Infra Log File Download Auth BypassA vulnerability in the log file download functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to download arbitrary log files from the server. This vulnerability is due to insufficient authorization checks on the download service API. An attacker could exploit this vulnerability by submitting a crafted URL request to an affected device. A successful exploit could allow the attacker to download sensitive log files that they would otherwise not have authorization to access. To exploit this vulnerability, the attacker must have valid credentials to access the web-based management interface of the affected device. |
Prime Infrastructure
|
| CVE-2026-20185 | May 06, 2026 |
Cisco SG350 SNMP 1/2c/3 DoS via Improper Error HandlingA vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco 350 Series Managed Switches (SG350) and Cisco 350X Series Stackable Managed Switches (SG350X) firmware could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper error handling when parsing response data for a specific SNMP request. An attacker could exploit this vulnerability by sending a specific SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMPv2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMPv3, the attacker must have valid SNMP user credentials for the affected system. |
|
| CVE-2026-20193 | May 06, 2026 |
Cisco ISE Radius Policy API RBAC Bypass (CVE-2026-20193)A vulnerability in the RADIUS Policy API endpoints of Cisco ISE could allow an authenticated, remote attacker with read-only Administrator privileges to gain unauthorized access to sensitive information on an affected device. This vulnerability is due to improper role-based access control (RBAC) permissions on the RADIUS Policy API endpoints. An attacker could exploit this vulnerability by bypassing the web-based management interface and directly calling an affected endpoint. A successful exploit could allow the attacker to gain unauthorized read access to sensitive RADIUS Policy details that are restricted for their role. |
Identity Services Engine Software
|
| CVE-2026-20195 | May 06, 2026 |
Cisco ISE Identity API Username Enumeration via Error MessagesA vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system. |
Identity Services Engine Software
|
| CVE-2026-20136 | Apr 15, 2026 |
Cisco ISE CLI Command Injection allows privilege escalationA vulnerability in the CLI of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, local attacker with administrative privileges to perform a command injection attack on the underlying operating system and elevate privileges to root. This vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by providing crafted input to a specific CLI command. A successful exploit could allow the attacker to elevate their privileges to root on the underlying operating system. |
Identity Services Engine Software
|
| CVE-2026-20059 | Apr 15, 2026 |
Cisco Unity Conn Web Mgmt Reflected XSS via Input ValidationA vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. |
Unity Connection
|
| CVE-2026-20060 | Apr 15, 2026 |
Cisco Unity Connection: Unauthenticated Redirect via Input Validation in Web UIA vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of HTTP request parameters. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious web page. |
Unity Connection
|
| CVE-2026-20061 | Apr 15, 2026 |
Cisco Unity Connection Web UI SQL InjectionA vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device. |
Unity Connection
|
| CVE-2026-20170 | Apr 15, 2026 |
CVE-2026-20170: XSS in Cisco Webex CC Desktop Agent enables session theftA vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer action is needed. This vulnerability existed because HTML and script content was not properly handled. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to steal sensitive information from the browser, including authentication and session information. |
|
| CVE-2026-20184 | Apr 15, 2026 |
SSO Impersonation via Improper Cert Validation in Cisco Webex Control HubA vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. This vulnerability existed because of improper certificate validation. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by connecting to a service endpoint and supplying a crafted token. A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services. |
Webex Meetings
|
| CVE-2026-20180 | Apr 15, 2026 |
RCE via crafted HTTP in Cisco ISE (Readonly Admin access)A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored. |
Identity Services Engine Software
|
| CVE-2026-20161 | Apr 15, 2026 |
Local File Overwrite via CLI in Cisco ThousandEyes EAA vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device. |
Thousandeyes Enterprise Agent
|
| CVE-2026-20152 | Apr 15, 2026 |
Auth Bypass in Cisco Secure Web Appliance via AsyncOS AuthServiceA vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requirements. This vulnerability is due to improper validation of user-supplied authentication input in HTTP requests. An attacker could exploit this vulnerability by sending HTTP requests that contain specific authentication requests to an affected device. A successful exploit could allow the attacker to bypass policy enforcement on the device. There is no direct impact to the Cisco Secure Web Appliance. However, as a result of exploiting this vulnerability, an attacker could send HTTP requests that should be restricted through the device. |
|
| CVE-2026-20186 | Apr 15, 2026 |
Cisco ISE Remote OS Command Execution via HTTP (ReadOnly Admin)A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored. |
Identity Services Engine Software
|
| CVE-2026-20148 | Apr 15, 2026 |
Cisco ISE Authenticated HTTP Path TraversalA vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to perform path traversal attacks on the underlying operating system and read arbitrary files. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system. |
Identity Services Engine Software
|
| CVE-2026-20147 | Apr 15, 2026 |
Cisco ISE remote command injection privilege escalationA vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored. |
Identity Services Engine Software
|
| CVE-2026-20081 | Apr 15, 2026 |
Cisco Unity Connection arbitrary file download via web UI input sanitizationMultiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system. |
Unity Connection
|
| CVE-2026-20078 | Apr 15, 2026 |
Cisco Unity Connection Remote Authenticated File Download via Web InterfaceMultiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system. |
Unity Connection
|
| CVE-2026-20132 | Apr 15, 2026 |
Cisco ISE Web UI XSS via insufficient sanitizationMultiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative write privileges to conduct a stored cross-site scripting (XSS) attack or a reflected XSS attack against a user of the web-based management interface of an affected device. These vulnerabilities are due to insufficient sanitization of user-supplied data that is stored in the web page. An attacker could exploit these vulnerabilities by convincing a user of the interface to click a specific link or view an affected web page. The injected script code may be executed in the context of the web-based management interface or allow the attacker to access sensitive browser-based information. |
Identity Services Engine Software
|
| CVE-2026-20090 | Apr 01, 2026 |
Cisco IMC Web UI Stored XSS via Authenticated AdminA vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with administrative privileges to conduct a stored XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the browser of the targeted user or access sensitive, browser-based information. |
Enterprise Nfv Infrastructure Software
Unified Computing System
|
| CVE-2026-20089 | Apr 01, 2026 |
Cisco IMC Web UI Stored XSS via Authenticated AdminA vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with administrative privileges to conduct a stored XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the browser of the targeted user or access sensitive, browser-based information. |
Enterprise Nfv Infrastructure Software
Unified Computing System
|
| CVE-2026-20087 | Apr 01, 2026 |
Cisco IMC Web UI Stored XSS Enables Browser Script Exec (CVE-2026-20087)A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with administrative privileges to conduct a stored XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the browser of the targeted user or access sensitive, browser-based information. |
Enterprise Nfv Infrastructure Software
Unified Computing System
|
| CVE-2026-20088 | Apr 01, 2026 |
Cisco IMC Web UI Authenticated Remote Stored XSSA vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with administrative privileges to conduct a stored XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the browser of the targeted user or access sensitive, browser-based information. |
Enterprise Nfv Infrastructure Software
Unified Computing System
|
| CVE-2026-20174 | Apr 01, 2026 |
Auth RCE via Metadata Update in Cisco Nexus Dashboard InsightsA vulnerability in the Metadata update feature of Cisco Nexus Dashboard Insights could allow an authenticated, remote attacker to write arbitrary files to an affected system. This vulnerability is due to insufficient validation of the metadata update file. An attacker could exploit this vulnerability by crafting a metadata update file and manually uploading it to an affected device. A successful exploit could allow the attacker to write arbitrary files to the underlying operating system as the root user. To exploit this vulnerability, the attacker must have valid administrative credentials. Note: Manual uploading of metadata files is typical for Air-Gap environments but not for Cisco Intersight Cloud connected devices. However, the manual upload option exists for both deployments. |
Nexus Dashboard
Nexus Dashboard Insights
|
| CVE-2026-20160 | Apr 01, 2026 |
Cisco SSM On-Prem RCE via exposed internal APIA vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. This vulnerability is due to the unintentional exposure of an internal service. An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges. |
Smart Software Manager On Prem
|
| CVE-2026-20155 | Apr 01, 2026 |
Cisco EPNM REST API Auth Bypass: View Sensitive Session DataA vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker with low privileges to access sensitive information that they are not authorized to access. This vulnerability is due to improper authorization checks on a REST API endpoint of an affected device. An attacker could exploit this vulnerability by querying the affected endpoint. A successful exploit could allow the attacker to view session information of active Cisco EPNM users, including users with administrative privileges, which could result in the affected device being compromised. |
Evolved Programmable Network Manager
|
| CVE-2026-20151 | Apr 01, 2026 |
CVE-2026-20151: Privilege Escalation via Improper Credential Exposure in Cisco SSM On-PremA vulnerability in the web interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to the improper transmission of sensitive user information. An attacker could exploit this vulnerability by sending a crafted message to an affected Cisco SSM On-Prem host and retrieving session credentials from subsequent status messages. A successful exploit could allow the attacker to elevate privileges on the affected system from low to administrative. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of System User. Note: This vulnerability exposes information only about users who logged in to the Cisco SSM On-Prem host using the web interface and who are currently logged in. SSH sessions are not affected. |
Smart Software Manager On Prem
|
| CVE-2026-20096 | Apr 01, 2026 |
Cisco IMC Web CLI Command Injection (CVE-2026-20096)A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with admin-level privileges to perform command injection attacks on an affected system and execute arbitrary commands as the root user. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system as the root user. Cisco has assigned this vulnerability a Security Impact Rating (SIR) of High, rather than Medium as the score indicates, because additional security implications could occur once the attacker has become root. |
Enterprise Nfv Infrastructure Software
Unified Computing System
|
| CVE-2026-20097 | Apr 01, 2026 |
Cisco IMC Web Mgt Interface RCE (CVE-2026-20097)A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with admin-level privileges to execute arbitrary code as the root user. This vulnerability is due to improper validation of user-supplied input to the web-based management interface. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the root user. Cisco has assigned this vulnerability a SIR of High rather than Medium as the score indicates because additional security implications could occur when the attacker becomes root. |
Unified Computing System
|
| CVE-2026-20094 | Apr 01, 2026 |
Cisco IMC Authenticated Remote Cmd Injection via Web UI (Read-Only Privilege)A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with read-only privileges to perform command injection attacks on an affected system and execute arbitrary commands as the root user. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system as the root user. |
Unified Computing System
|
| CVE-2026-20095 | Apr 01, 2026 |
Command Injection in Cisco IMC Web UI (CVE-2026-20095)A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with admin-level privileges to perform command injection attacks on an affected system and execute arbitrary commands as the root user. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system as the root user. Cisco has assigned this vulnerability a Security Impact Rating (SIR) of High, rather than Medium as the score indicates, because additional security implications could occur once the attacker has become root. |
Enterprise Nfv Infrastructure Software
Unified Computing System
|
| CVE-2026-20093 | Apr 01, 2026 |
Cisco IMC Auth Bypass via Password Change ExploitA vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin. This vulnerability is due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user. |
Enterprise Nfv Infrastructure Software
Unified Computing System
|
| CVE-2026-20085 | Apr 01, 2026 |
Reflected XSS in Cisco IMC Web InterfaceA vulnerability in the web-based management interface of Cisco IMC could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the browser of the targeted user or access sensitive, browser-based information. |
Enterprise Nfv Infrastructure Software
Unified Computing System
|
| CVE-2026-20042 | Apr 01, 2026 |
Root RCE via Cisco Nexus Dashboard Backup Auth Leak (CVE-2026-20042)A vulnerability in the configuration backup feature of Cisco Nexus Dashboard could allow an attacker who has the encryption password and access to Full or Config-only backup files to access sensitive information. This vulnerability exists because authentication details are included in the encrypted backup files. An attacker with a valid backup file and encryption password from an affected device could decrypt the backup file. The attacker could then use the authentication details in the backup file to access internal-only APIs on the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system as the root user. |
Nexus Dashboard
|
| CVE-2026-20041 | Apr 01, 2026 |
Cisco Nexus Dashboard SSRF via HTTP input validationA vulnerability in Cisco Nexus Dashboard and Cisco Nexus Dashboard Insights could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by persuading an authenticated user of the device management interface to click a crafted link. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device to an attacker-controlled server. The attacker could then execute arbitrary script code in the context of the affected interface or access sensitive browser-based information. |
Nexus Dashboard
Nexus Dashboard Insights
|
| CVE-2026-20108 | Mar 25, 2026 |
Cisco SDWAN Manager Authenticated XSS in Web UIA vulnerability in the web-based management interface of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of the web-based management interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. |
Catalyst Sd Wan Manager
|
| CVE-2026-20112 | Mar 25, 2026 |
Cisco IOS XE XSS in Web-Based Management InterfaceA vulnerability in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. |
IOS XE
|
| CVE-2026-20113 | Mar 25, 2026 |
Cisco IOS XE CRLF Injection in IOx Management InterfaceA vulnerability in the web-based Cisco IOx application hosting environment management interface of Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform a carriage return line feed (CRLF) injection attack against a user. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by sending crafted packets to an affected device. A successful exploit could allow the attacker to arbitrarily inject log entries, manipulate the structure of log files, or obscure legitimate log events. |
IOS XE
|
| CVE-2026-20114 | Mar 25, 2026 |
Privilege Escalation via Lobby Ambassador API in Cisco IOS XEA vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate their privileges and access management APIs that would not normally be available for Lobby Ambassador users. This vulnerability exists because parameters that are received by an API endpoint are not sufficiently validated. An attacker could exploit this vulnerability by authenticating as a Lobby Ambassador user and sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to create a new user with privilege level 1 access to the web-based management API. The attacker would then be able to access the device with these new credentials and privileges. |
IOS XE
|
| CVE-2026-20115 | Mar 25, 2026 |
Cisco Meraki IOS XE Remote Config Leak via Insecure TunnelA vulnerability in Cisco IOS XE Software for Cisco Meraki could allow a remote, unauthenticated attacker to view confidential device information. This vulnerability is due to a device configuration upload being performed over an insecure tunnel. An attacker could exploit this vulnerability by conducting an on-path attack between the affected device and the Cisco Meraki Dashboard. A successful exploit could allow the attacker to view sensitive device configuration information. |
IOS XE
|
| CVE-2026-20083 | Mar 25, 2026 |
SCP Server DoS via Malformed SSH on Cisco IOS XEA vulnerability in the Secure Copy Protocol (SCP) server feature of Cisco IOS XE Software could allow an authenticated, local attacker with low privileges to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of a malformed SCP request. An attacker could exploit this vulnerability by issuing a crafted command through SSH. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. |
IOS XE
|
| CVE-2026-20110 | Mar 25, 2026 |
Cisco IOS XE CLI DoS via start maintenance cmdA vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability exists because incorrect privileges are associated with the start maintenance command. An attacker could exploit this vulnerability by accessing the management CLI of the affected device as a low-privileged user and using the start maintenance command. A successful exploit could allow the attacker to put the device in maintenance mode, which shuts down interfaces, resulting in a denial of service (DoS) condition. In case of exploitation, a device administrator can connect to the CLI and use the stop maintenance command to restore operations. |
IOS XE
|