Regulatory Triage ICT Providers

Cisco

Network & Security

Period: 7d 14d 30d 90d

Open CVEs

Exploited

KEV

Unpatched

No Workaround

Internet-facing

Why this provider is risky now

This provider has 20 open CVE(s) in the last 30 days. 1 listed in CISA KEV (known exploited). 20 have no vendor patch. 12 affect internet-facing services. 6 impact the management/identity plane.

1 KEV 1 Exploited 20 Unpatched 6 Mgmt / Admin Plane 2 Public PoC 12 No Workaround 12 Internet-facing

Top Risky CVEs

CVE-2026-20182

Emergency

Unpatched

Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) to obtain administrative privileges and manipulate network configurations across the entire SD-WAN fabric. This critical authentication bypass (CVSS 10.0) allows direct NETCONF access as a high-privileged internal user without any credentials. Cisco released fixes in May 2026 following discovery of this second authentication flaw after a February 2026 disclosure of a related vulnerability. No active exploitation confirmed in CISA KEV at time of analysis, though the maximum CVSS score and authentication bypass nature make this a priority patching target for SD-WAN deployments.

Within 24 hours: Identify and inventory all Cisco Catalyst vSmart Controllers and vManage instances in production. Within 7 days: Implement network-level access controls to restrict NETCONF traffic (port 830) to authorized management stations only; monitor authentication logs for failed peering attempts. Within 30 days: Apply Cisco's May 2026 security update patches immediately upon availability; verify successful deployment across all vSmart and vManage systems.

Edge exposure ICT dependency Active exploitation No patch available Management plane KEV PoC

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-287: Improper Authentication)
• Third-party ICT: Cisco
• Exploited in the wild (CISA KEV)
• No patch available
• Management plane (Improper Authentication)
• Strong evidence (KEV / high EPSS / multi-source)

DORA Relevant

• CRITICAL severity
• ICT provider: Cisco (Network & Security)
• Known exploited vulnerability (KEV)
• No remediation available
• Authentication / access control weakness

10.0

CVSS

1.6%

EPSS

127

Priority

CVE-2026-20223

Act Now

Unpatched

Authentication bypass in Cisco Secure Workload allows unauthenticated remote attackers to invoke internal REST API endpoints and act with Site Admin privileges across tenant boundaries. The flaw carries a maximum CVSS 10.0 score with a changed scope and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation enables reading sensitive tenant data and modifying configuration globally, making this a critical-priority issue for any organization running affected versions.

Within 24 hours: Inventory all Cisco Secure Workload deployments and versions; disable or restrict network access to internal REST API endpoints from untrusted sources; enable detailed logging of API requests and administrative actions. Within 7 days: Implement network segmentation isolating management interfaces to trusted networks only; deploy API gateway or WAF to enforce additional authentication layers on admin endpoints; conduct access log review for indicators of compromise. Within 30 days: Monitor Cisco security advisories for patch release; establish emergency patching procedure; test patched version in non-production environment; deploy patch to production immediately upon validation.

Edge exposure ICT dependency No patch available Management plane

Why flagged?

NIS2 Relevant

• CRITICAL severity
• Internet-facing (CWE-306: Missing Authentication for Critical Function)
• Third-party ICT: Cisco
• No patch available
• Management plane (Missing Authentication for Critical Function)
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• CRITICAL severity
• ICT provider: Cisco (Network & Security)
• No remediation available
• Authentication / access control weakness

10.0

CVSS

0.0%

EPSS

Priority

CVE-2026-20034

This Week

Unpatched

Remote code execution in Cisco Unity Connection allows authenticated remote attackers with low-privilege credentials to execute arbitrary code as root via crafted API requests to the web management interface. Successful exploitation enables complete device compromise. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid user credentials (PR:L). No public exploit code or active exploitation confirmed at time of analysis. EPSS data not available in provided intelligence.

Within 24 hours: Inventory all Cisco Unity Connection deployments and document current versions; restrict API access to Unity Connection management interfaces via network segmentation and firewall rules. Within 7 days: Audit low-privilege user accounts with API access and disable unnecessary credentials; implement IP whitelisting for administrative access. Within 30 days: Contact Cisco support for patch availability status; evaluate migration to patched versions once released; implement enhanced monitoring for anomalous API requests to management endpoints.

Edge exposure ICT dependency No patch available

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing technique: rce
• Third-party ICT: Cisco
• No patch available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• No remediation available

8.8

CVSS

0.4%

EPSS

Priority

CVE-2026-20224

This Week

Unpatched

Remote file disclosure in Cisco Catalyst SD-WAN Manager allows unauthenticated attackers to read arbitrary system files via XML External Entity (XXE) injection in the web UI. The vulnerability affects the management interface with network-accessible attack vector, low complexity, and no required privileges (CVSS 8.6). Attackers can extract sensitive configuration files, credentials, and operational data from the SD-WAN management platform. EPSS data not provided; exploitation status unknown but the unauthenticated remote vector and publicly disclosed Cisco advisory elevate real-world risk for internet-exposed instances.

Within 24 hours: Identify all Cisco Catalyst SD-WAN Manager instances accessible from untrusted networks using asset inventory and network scans; document current versions and access controls. Within 7 days: Restrict network access to the SD-WAN management interface to trusted administrative networks only via firewall rules; enable authentication enforcement if available in your deployment version. Within 30 days: Monitor Cisco security advisories for patch availability and apply immediately upon release; conduct forensic review of management interface logs for evidence of unauthorized file access attempts.

Edge exposure ICT dependency No patch available

Why flagged?

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• No remediation available

8.6

CVSS

0.0%

EPSS

Priority

CVE-2026-20167

This Week

Unpatched

Cisco IoT Field Network Director enables authenticated remote attackers with low-level privileges to crash remotely managed routers by submitting crafted requests through the web-based management interface. The vulnerability causes improper error handling that allows requesting unauthorized files from managed routers, forcing them to reload and creating a denial-of-service condition (CVSS 7.7, Changed Scope). No public exploit or active exploitation reported at time of analysis.

Within 24 hours: Inventory all Cisco IoT Field Network Director instances and document managed router deployments; restrict web management interface access to administrative networks only and review user privilege assignments to limit low-privilege accounts. Within 7 days: Implement network segmentation to isolate Field Network Director management traffic; enable detailed logging of web interface activity and monitor for suspicious requests. Within 30 days: Contact Cisco for patch availability and test in non-production environment; evaluate alternative management solutions or air-gap critical IoT infrastructure pending patch release.

Edge exposure ICT dependency No patch available Management plane

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing technique: authentication-bypass
• Third-party ICT: Cisco
• No patch available
• Management plane (Improper Access Control)
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• No remediation available
• Authentication / access control weakness

7.7

CVSS

0.1%

EPSS

Priority

CVE-2026-20185

This Week

Unpatched

Cisco SG350 and SG350X managed switches can be remotely crashed via crafted SNMP requests, forcing unexpected device reloads. Authenticated attackers with valid SNMP credentials (read-only or read-write community strings for SNMPv1/v2c, or user credentials for SNMPv3) can trigger a heap-based buffer overflow in SNMP response parsing. Cisco confirmed this vulnerability affects all three SNMP versions (v1, v2c, v3) and published advisory cisco-sa-sg350-snmp-dos-GEFZr2Tj. EPSS and KEV status not provided in available data; exploitation requires network access with low complexity but does require valid SNMP authentication.

Within 24 hours: Identify all SG350/SG350X switches in your environment and document SNMP configurations; disable SNMP if not operationally required, or restrict SNMP access to trusted management networks only via ACLs. Within 7 days: Audit SNMP community strings (v1/v2c) and user credentials (v3) to ensure they are strong and rotated; implement network segmentation to prevent untrusted hosts from reaching SNMP ports (UDP 161). Within 30 days: Monitor Cisco security advisories (cisco-sa-sg350-snmp-dos-GEFZr2Tj) for patch availability; test and deploy vendor patch immediately upon release; consider switch replacement or upgrade if patch timeline is unacceptable for your risk tolerance.

ICT dependency No patch available

Why flagged?

NIS2 Relevant

• HIGH severity
• Third-party ICT: Cisco
• No patch available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• No remediation available

7.7

CVSS

0.2%

EPSS

Priority

CVE-2026-20188

This Week

Unpatched

Denial of service in Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) allows remote unauthenticated attackers to exhaust connection resources by flooding the system with connection requests, forcing a manual reboot to restore service. CVSS 7.5 (High) with network vector and no authentication required. No public exploit code identified at time of analysis, and EPSS data not available. The vulnerability stems from inadequate rate-limiting on incoming connections (CWE-400), affecting critical network orchestration infrastructure used for automation and service provisioning.

Within 24 hours: Identify all Cisco CNC and NSO deployments in your infrastructure and document current versions. Within 7 days: Implement network-level rate-limiting on connections to CNC and NSO management interfaces using firewall rules, WAF, or load balancer connection throttling; restrict access to these systems to authorized administrative networks only via ACLs. Within 30 days: Monitor vendor security advisories for patch availability and maintain continuous rate-limiting controls; conduct tabletop exercise on manual reboot procedures to reduce restoration time.

ICT dependency No patch available PoC

Why flagged?

NIS2 Relevant

• HIGH severity
• Third-party ICT: Cisco
• Proof of concept available
• No patch available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• No remediation available

7.5

CVSS

0.1%

EPSS

Priority

CVE-2026-20035

This Week

Unpatched

Server-Side Request Forgery (SSRF) in Cisco Unity Connection Web Inbox allows remote unauthenticated attackers to send arbitrary network requests sourced from the vulnerable server. The vulnerability affects the web UI component and requires no authentication, privileges, or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), enabling attackers to abuse the server's network position for internal network reconnaissance, service enumeration, or attacks against backend systems. The changed scope (S:C) indicates impact extends beyond the vulnerable component to other network resources accessible from the Unity Connection server.

Within 24 hours: Identify and inventory all Cisco Unity Connection deployments and document their network position and connected backend systems. Within 7 days: Apply network segmentation to isolate Unity Connection Web Inbox from internal resources; implement egress filtering to restrict outbound connections from the server; monitor for suspicious outbound network activity. Within 30 days: Contact Cisco for patch availability and apply immediately upon release; alternatively, evaluate migration to patched versions or replacement solutions if no timeline is provided by vendor.

Edge exposure ICT dependency No patch available

Why flagged?

NIS2 Relevant

• HIGH severity
• Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
• Third-party ICT: Cisco
• No patch available
• Moderate evidence (PoC / elevated EPSS)

DORA Relevant

• HIGH severity
• ICT provider: Cisco (Network & Security)
• No remediation available

7.2

CVSS

0.0%

EPSS

Priority

CVE-2026-20171

This Month

Unpatched

BGP session flapping denial-of-service in Cisco NX-OS on Nexus 3000 and 9000 Series Switches exposes data-center routing infrastructure to disruption from unauthenticated remote attackers. The flaw resides in the enforce-first-as BGP feature, where incorrect parsing of a transitive BGP attribute causes an affected switch to drop its BGP peer session and enter a flap loop upon receiving a crafted BGP UPDATE message. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the Changed scope in the CVSS vector reflects that the instability can propagate beyond the directly attacked peer, amplifying network-wide impact.

ICT dependency

Why flagged?

6.8

CVSS

0.0%

EPSS

Priority

CVE-2026-20168

This Month

Unpatched

Authenticated remote attackers with low privileges can read arbitrary files via insufficient access controls in the web-based management interface of Cisco IoT Field Network Director. Exploitation requires valid login credentials and submission of crafted input through the management UI; successful attacks result in unauthorized file disclosure but do not enable modification or system disruption. No public exploit code or active exploitation has been identified at time of analysis.

ICT dependency

Why flagged?

6.5

CVSS

0.0%

EPSS

Priority

By Exposure

Internet-facing

Mgmt / Admin Plane

Identity / Auth

Internal only

By Exploitability

Known exploited

Public PoC

High EPSS (>30%)

Remote unauthenticated

Local only

By Remediation

Patch available

No patch

Workaround available

No workaround

Affected Services / Product Families

Cisco

20 CVE(s)

CVE-2026-20034 HIGH Unpatched

CVE-2026-20035 HIGH Unpatched

CVE-2026-20167 HIGH Unpatched

CVE-2026-20168 MEDIUM Unpatched

CVE-2026-20169 MEDIUM Unpatched

CVE-2026-20172 MEDIUM Unpatched

CVE-2026-20185 HIGH Unpatched

CVE-2026-20188 HIGH PoC Unpatched

CVE-2026-20189 MEDIUM Unpatched

CVE-2026-20193 MEDIUM Unpatched

+ 10 more

Recommended Actions

Immediately patch or isolate 1 CVE(s) listed in CISA KEV Evaluate compensating controls for 12 unpatched CVE(s) with no workaround Review WAF/firewall rules for 12 internet-facing CVE(s) Audit authentication and access control for 6 management-plane CVE(s) Escalate to Cisco – patch rate is 0% Track Cisco vendor advisories for remediation timeline