Regulatory Triage ICT Providers

Cisco

Network & Security

Period: 7d 14d 30d 90d

Open CVEs

Exploited

KEV

Unpatched

No Workaround

Internet-facing

Why this provider is risky now

This provider has 29 open CVE(s) in the last 30 days. 29 have no vendor patch. 17 affect internet-facing services. 1 impact the management/identity plane.

29 Unpatched 1 Mgmt / Admin Plane 1 Public PoC 11 No Workaround 17 Internet-facing

Top Risky CVEs

CVE-2026-20160

Act Now

Unpatched

Remote code execution in Cisco Smart Software Manager On-Prem allows unauthenticated attackers to execute arbitrary commands with root privileges via an exposed internal service API. The vulnerability stems from unintentional exposure of an internal service that accepts crafted API requests, enabling full system compromise. With a CVSS score of 9.8 and complete attack vector accessibility over the network requiring no authentication or user interaction, this represents a critical security exposure for organizations using SSM On-Prem for Cisco software license management, though no public exploit identified at time of analysis.

Within 24 hours: Identify all Cisco SSM On-Prem instances in your environment and isolate from untrusted networks; document current versions. Within 7 days: Implement network segmentation restricting SSM On-Prem API access to authorized administrator networks only; enable comprehensive logging and monitoring of all API requests; review access logs for suspicious activity. Within 30 days: Monitor Cisco security advisories for patch release and apply immediately upon availability; contact Cisco support for workaround guidance specific to your deployment; evaluate temporary migration of license management functions to alternative systems if available.

ICT dependency No patch available

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Third-party ICT: Cisco
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Cisco (Network & Security)
• No remediation available

9.8

CVSS

0.2%

EPSS

Priority

CVE-2026-20093

Act Now

Unpatched

Authentication bypass in Cisco Integrated Management Controller (IMC) allows unauthenticated remote attackers to gain administrative access by exploiting improper password change request handling. Affected products include Cisco Enterprise NFV Infrastructure Software, Unified Computing System (Standalone), and UCS E-Series Software. The attacker can alter any user's password, including Admin accounts, and take full control of the management interface. CVSS 9.8 (Critical) with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, though EPSS data not available for comprehensive risk assessment.

Within 24 hours: Identify and inventory all Cisco IMC instances (Enterprise NFV Infrastructure, UCS Standalone, UCS E-Series) in your environment and isolate affected devices from untrusted networks; restrict management access to administrative networks only via firewall rules. Within 7 days: Contact Cisco support for patch availability and timeline, as no vendor-released patch is currently identified; implement network segmentation restricting management traffic to jump hosts with multi-factor authentication. Within 30 days: Apply vendor-released patch immediately upon availability; conduct password audit of all affected IMC administrative accounts and force reset of all credentials post-remediation.

Edge exposure ICT dependency No patch available PoC

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-20: Improper Input Validation)
• Third-party ICT: Cisco
• Proof of concept available
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Cisco (Network & Security)
• No remediation available

9.8

CVSS

0.0%

EPSS

Priority

CVE-2026-20094

This Week

Unpatched

Command injection in Cisco Integrated Management Controller (IMC) web interface allows authenticated attackers with read-only privileges to execute arbitrary commands as root. The CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N) confirms network-accessible exploitation requiring only low-privilege authentication, with no public exploit identified at time of analysis. EPSS data not provided; CVE-2026 prefix suggests future disclosure.

Within 24 hours: Inventory all Cisco IMC instances in production and identify current firmware versions; restrict network access to IMC web interfaces to administrative jump hosts only. Within 7 days: Disable or isolate IMC instances not in active use; implement network segmentation to limit lateral movement from compromised IMC systems. Within 30 days: Monitor Cisco security advisories for patch availability and test in non-production environment immediately upon release; plan emergency patching schedule with change management.

Edge exposure ICT dependency No patch available

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing (CWE-77: Command Injection)
• Third-party ICT: Cisco
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• No remediation available

8.8

CVSS

0.3%

EPSS

Priority

CVE-2026-20084

This Week

Unpatched

Improper BOOTP packet handling in Cisco IOS XE Software on Catalyst 9000 Series Switches allows unauthenticated remote attackers to trigger VLAN leakage and cause device unavailability through resource exhaustion. An attacker can send crafted BOOTP requests to forward packets across VLANs, leading to high CPU utilization that renders the switch unreachable and unable to process traffic. No patch is currently available for this denial-of-service vulnerability.

Within 24 hours: Inventory all Cisco Catalyst 9000 Series Switches in production and verify current IOS XE versions; enable detailed logging on DHCP snooping events and implement BOOTP rate-limiting at network edge. Within 7 days: Deploy network segmentation to restrict BOOTP packet forwarding across VLANs; disable DHCP snooping on non-essential VLANs if business operations permit; establish baseline CPU utilization metrics for early anomaly detection. Within 30 days: Coordinate with Cisco for patch availability and test in lab environment; evaluate alternative switching vendors if patch timeline is unacceptable; implement enhanced monitoring for sustained CPU spikes and VLAN isolation bypass attempts.

ICT dependency No patch available

Why flagged?

NIS2 Relevant

• HIGH severity
• Third-party ICT: Cisco, Apple
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• ICT provider: Apple (Operating Systems)
• No remediation available

8.6

CVSS

0.1%

EPSS

Priority

CVE-2026-20086

This Week

Unpatched

This is a denial of service vulnerability in Cisco IOS XE Wireless Controller Software for the Catalyst CW9800 Family caused by improper handling of malformed CAPWAP (Control and Provisioning of Wireless Access Points) packets. The vulnerability affects multiple versions of Cisco IOS XE Software in the 17.14.x through 17.18.x release trains. An unauthenticated remote attacker can exploit this to cause the wireless controller to reload unexpectedly, resulting in complete network disruption with a high severity CVSS score of 8.6.

Within 24 hours: Identify all CW9800 controllers in production and document their software versions; establish incident response procedures for unexpected controller failures. Within 7 days: Implement network segmentation to restrict CAPWAP traffic sources; enable detailed logging and monitoring of controller behavior; evaluate temporary workarounds with Cisco support. Within 30 days: Test and prepare for immediate deployment once Cisco releases patches; consider temporary deployment of alternative wireless infrastructure if risk tolerance is low.

ICT dependency No patch available

Why flagged?

NIS2 Relevant

• HIGH severity
• Third-party ICT: Cisco, Apple
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• ICT provider: Apple (Operating Systems)
• No remediation available

8.6

CVSS

0.1%

EPSS

Priority

CVE-2026-20012

This Week

Unpatched

A denial of service vulnerability in the Internet Key Exchange (CVSS 8.6). High severity vulnerability requiring prompt remediation.

Within 24 hours: inventory all Cisco IOS, IOS XE, ASA, and FTD devices and confirm affected versions against Cisco's advisory; enable syslog alerting for unexpected device reloads and memory exhaustion warnings. Within 7 days: implement network segmentation to restrict IKEv2 access to trusted sources only and disable IKEv2 on non-essential devices; establish incident response runbooks for rapid device recovery. Within 30 days: evaluate Cisco's security patches as they become available and establish a phased deployment schedule; consider alternative VPN endpoints or vendors for critical remote access if patches remain unavailable.

ICT dependency No patch available

Why flagged?

NIS2 Relevant

• HIGH severity
• Third-party ICT: Cisco, Apple
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• ICT provider: Apple (Operating Systems)
• No remediation available

8.6

CVSS

0.1%

EPSS

Priority

CVE-2026-20155

This Week

Unpatched

Improper authorization in Cisco EPNM's REST API allows authenticated low-privilege attackers to access active user session data, including administrative credentials, enabling full device compromise. The vulnerability (CWE-862: Missing Authorization) affects the web management interface with CVSS 8.0 severity. Authentication is required (PR:L) but exploitation complexity is low once authenticated. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026-dated CVE identifier.

Within 24 hours: Identify all Cisco EPNM instances in your environment and document active user accounts with API access; rotate all administrative credentials managed through EPNM. Within 7 days: Restrict REST API access to high-privilege accounts only; implement network segmentation to limit EPNM management interface access to trusted administrator networks; enable audit logging for all REST API calls. Within 30 days: Contact Cisco for patch timeline and interim security guidance; evaluate replacing EPNM with alternative network management solutions if patch is not released; conduct access review of all EPNM user accounts to revoke unnecessary API permissions.

Edge exposure ICT dependency No patch available Management plane

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing technique: authentication-bypass
• Third-party ICT: Cisco
• No patch available
• Management plane (Missing Authorization)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• No remediation available
• Authentication / access control weakness

8.0

CVSS

0.1%

EPSS

Priority

CVE-2026-20125

This Week

Unpatched

HTTP Server input validation failures in Cisco IOS and IOS XE Release 3E enable authenticated remote attackers to trigger device reloads via malformed requests, causing denial of service. An attacker with valid credentials can exploit improper input handling to exhaust watchdog timers and force unexpected system restarts. No patch is currently available for this vulnerability affecting Cisco and Apple products.

Within 24 hours: Inventory all Cisco IOS/IOS XE devices and identify which are running vulnerable versions listed in ENISA EUVD-2026-15449. Within 7 days: Implement network access controls to restrict HTTP server access to trusted administrative networks only; disable HTTP if HTTPS alternatives exist. Within 30 days: Evaluate and plan migration to patched software versions as they become available; conduct security review of administrative credential management and access logs for suspicious activity.

ICT dependency No patch available

Why flagged?

NIS2 Relevant

• HIGH severity
• Third-party ICT: Cisco, Apple
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• ICT provider: Apple (Operating Systems)
• No remediation available

7.7

CVSS

0.1%

EPSS

Priority

CVE-2026-20004

This Week

Unpatched

Memory exhaustion in Cisco IOS XE and Apple devices via improper TLS resource handling allows adjacent attackers to trigger denial of service by repeatedly initiating failed authentication or manipulating TLS connections. An unauthenticated attacker can exploit this by resetting TLS sessions or abusing EAP authentication mechanisms to deplete device memory without requiring network access from the internet. Successful exploitation renders affected devices unresponsive, with no patch currently available.

Within 24 hours: Inventory all Cisco IOS XE devices and determine exposure; disable EAP authentication where not operationally critical. Within 7 days: Implement network segmentation to restrict adjacent network access to affected devices; deploy monitoring for repeated TLS connection failures. Within 30 days: Evaluate firmware upgrade paths to non-vulnerable versions; coordinate with Cisco for patch timeline and interim security guidance.

ICT dependency No patch available

Why flagged?

NIS2 Relevant

• HIGH severity
• Third-party ICT: Cisco, Apple
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• ICT provider: Apple (Operating Systems)
• No remediation available

7.4

CVSS

0.0%

EPSS

Priority

CVE-2026-20151

This Week

Unpatched

Privilege escalation in Cisco Smart Software Manager On-Prem (SSM On-Prem) web interface allows authenticated remote attackers with System User role to gain administrative access by intercepting session credentials from status messages. CVSS 7.3 (High severity) with network attack vector, low complexity, and requires low privileges plus user interaction. No public exploit code or active exploitation confirmed at time of analysis (EPSS data not provided).

Within 24 hours: Inventory all Cisco SSM On-Prem deployments and identify System User accounts; restrict System User role assignments to essential personnel only and review recent access logs for suspicious activity. Within 7 days: Contact Cisco support for patch availability timeline and interim security guidance; implement network segmentation to limit SSM On-Prem web interface access to trusted administrative networks only. Within 30 days: Apply vendor patch immediately upon release; conduct full access review and reset credentials for all System User accounts as a precautionary measure.

ICT dependency No patch available

Why flagged?

NIS2 Relevant

• HIGH severity
• Third-party ICT: Cisco
• No patch available
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• No remediation available

7.3

CVSS

0.0%

EPSS

Priority

By Exposure

Internet-facing

Mgmt / Admin Plane

Identity / Auth

Internal only

By Exploitability

Known exploited

Public PoC

High EPSS (>30%)

Remote unauthenticated

Local only

By Remediation

Patch available

No patch

Workaround available

No workaround

Affected Services / Product Families

Cisco

29 CVE(s)

CVE-2026-20004 HIGH Unpatched

CVE-2026-20012 HIGH Unpatched

CVE-2026-20083 MEDIUM Unpatched

CVE-2026-20084 HIGH Unpatched

CVE-2026-20086 HIGH Unpatched

CVE-2026-20104 MEDIUM Unpatched

CVE-2026-20108 MEDIUM Unpatched

CVE-2026-20110 MEDIUM Unpatched

CVE-2026-20112 MEDIUM Unpatched

CVE-2026-20113 MEDIUM Unpatched

+ 19 more

Recommended Actions

Evaluate compensating controls for 11 unpatched CVE(s) with no workaround Review WAF/firewall rules for 17 internet-facing CVE(s) Audit authentication and access control for 1 management-plane CVE(s) Escalate to Cisco – patch rate is 0% Track Cisco vendor advisories for remediation timeline