Skip to main content
Regulatory Triage ICT Providers

Cisco

Network & Security

Period: 7d 14d 30d 90d
120
Open CVEs
2
Exploited
2
KEV
119
Unpatched
38
No Workaround
58
Internet-facing

Why this provider is risky now

This provider has 120 open CVE(s) in the last 90 days. 2 listed in CISA KEV (known exploited). 119 have no vendor patch. 58 affect internet-facing services. 12 impact the management/identity plane.

2 KEV 2 Exploited 119 Unpatched 12 Mgmt / Admin Plane 5 Public PoC 38 No Workaround 58 Internet-facing

Top Risky CVEs

CVE-2026-20131
Emergency
Unpatched
Cisco Secure Firewall Management Center (FMC) contains a critical unauthenticated Java deserialization vulnerability (CVE-2026-20131, CVSS 10.0) in its web interface that enables remote code execution as root. KEV-listed with public PoC, this vulnerability allows complete compromise of the central management platform that controls all Cisco firewalls in the organization, enabling attackers to modify security policies, disable protections, and access all network traffic.
Within 24 hours: Isolate affected FMC instances from untrusted networks and restrict management interface access to authorized IP ranges only. Within 7 days: Implement network segmentation to limit FMC exposure and conduct forensic review of access logs for exploitation attempts. Within 30 days: Deploy alternative management infrastructure or migrate to patched version immediately upon availability; monitor Cisco security advisories for patch release.
Edge exposure ICT dependency Active exploitation No patch available KEV PoC
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-502: Deserialization of Untrusted Data)
  • Third-party ICT: Cisco
  • Exploited in the wild (CISA KEV)
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Cisco (Network & Security)
  • Known exploited vulnerability (KEV)
  • No remediation available
10.0
CVSS
0.6%
EPSS
141
Priority
CVE-2026-20182
Emergency
Unpatched
Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) to obtain administrative privileges and manipulate network configurations across the entire SD-WAN fabric. This critical authentication bypass (CVSS 10.0) allows direct NETCONF access as a high-privileged internal user without any credentials. Cisco released fixes in May 2026 following discovery of this second authentication flaw after a February 2026 disclosure of a related vulnerability. No active exploitation confirmed in CISA KEV at time of analysis, though the maximum CVSS score and authentication bypass nature make this a priority patching target for SD-WAN deployments.
Within 24 hours: Identify and inventory all Cisco Catalyst vSmart Controllers and vManage instances in production. Within 7 days: Implement network-level access controls to restrict NETCONF traffic (port 830) to authorized management stations only; monitor authentication logs for failed peering attempts. Within 30 days: Apply Cisco's May 2026 security update patches immediately upon availability; verify successful deployment across all vSmart and vManage systems.
Edge exposure ICT dependency Active exploitation No patch available Management plane KEV PoC
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-287: Improper Authentication)
  • Third-party ICT: Cisco
  • Exploited in the wild (CISA KEV)
  • No patch available
  • Management plane (Improper Authentication)
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Cisco (Network & Security)
  • Known exploited vulnerability (KEV)
  • No remediation available
  • Authentication / access control weakness
10.0
CVSS
1.6%
EPSS
127
Priority
CVE-2026-20079
Emergency
Unpatched
Unauthenticated auth bypass in Cisco FMC web interface. CVSS 10.0.
Within 24 hours: Isolate affected FMC instances from untrusted networks and restrict administrative access to authorized personnel only. Within 7 days: Implement network segmentation to limit FMC exposure, enable comprehensive logging and monitoring for suspicious activity, and contact Cisco for interim security guidance. Within 30 days: Develop and test a migration plan to patched versions when available, and conduct forensic analysis for any unauthorized access indicators.
Edge exposure ICT dependency No patch available PoC
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: Cisco
  • Proof of concept available
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Cisco (Network & Security)
  • No remediation available
10.0
CVSS
0.2%
EPSS
90
Priority
CVE-2026-20223
Act Now
Unpatched
Authentication bypass in Cisco Secure Workload allows unauthenticated remote attackers to invoke internal REST API endpoints and act with Site Admin privileges across tenant boundaries. The flaw carries a maximum CVSS 10.0 score with a changed scope and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation enables reading sensitive tenant data and modifying configuration globally, making this a critical-priority issue for any organization running affected versions.
Within 24 hours: Inventory all Cisco Secure Workload deployments and versions; disable or restrict network access to internal REST API endpoints from untrusted sources; enable detailed logging of API requests and administrative actions. Within 7 days: Implement network segmentation isolating management interfaces to trusted networks only; deploy API gateway or WAF to enforce additional authentication layers on admin endpoints; conduct access log review for indicators of compromise. Within 30 days: Monitor Cisco security advisories for patch release; establish emergency patching procedure; test patched version in non-production environment; deploy patch to production immediately upon validation.
Edge exposure ICT dependency No patch available Management plane
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-306: Missing Authentication for Critical Function)
  • Third-party ICT: Cisco
  • No patch available
  • Management plane (Missing Authentication for Critical Function)
  • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Cisco (Network & Security)
  • No remediation available
  • Authentication / access control weakness
10.0
CVSS
0.0%
EPSS
50
Priority
CVE-2026-20147
Act Now
Unpatched
A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vul
Edge exposure ICT dependency No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-77: Command Injection)
  • Third-party ICT: Cisco
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Cisco (Network & Security)
  • No remediation available
9.9
CVSS
0.2%
EPSS
50
Priority
CVE-2026-20186
Act Now
Unpatched
A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit
Edge exposure ICT dependency No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-77: Command Injection)
  • Third-party ICT: Cisco
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Cisco (Network & Security)
  • No remediation available
9.9
CVSS
0.2%
EPSS
50
Priority
CVE-2026-20180
Act Now
Unpatched
A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit
Edge exposure ICT dependency No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-22: Path Traversal)
  • Third-party ICT: Cisco
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Cisco (Network & Security)
  • No remediation available
9.9
CVSS
0.2%
EPSS
50
Priority
CVE-2026-20160
Act Now
Unpatched
Remote code execution in Cisco Smart Software Manager On-Prem allows unauthenticated attackers to execute arbitrary commands with root privileges via an exposed internal service API. The vulnerability stems from unintentional exposure of an internal service that accepts crafted API requests, enabling full system compromise. With a CVSS score of 9.8 and complete attack vector accessibility over the network requiring no authentication or user interaction, this represents a critical security exposure for organizations using SSM On-Prem for Cisco software license management, though no public exploit identified at time of analysis.
Within 24 hours: Identify all Cisco SSM On-Prem instances in your environment and isolate from untrusted networks; document current versions. Within 7 days: Implement network segmentation restricting SSM On-Prem API access to authorized administrator networks only; enable comprehensive logging and monitoring of all API requests; review access logs for suspicious activity. Within 30 days: Monitor Cisco security advisories for patch release and apply immediately upon availability; contact Cisco support for workaround guidance specific to your deployment; evaluate temporary migration of license management functions to alternative systems if available.
ICT dependency No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Third-party ICT: Cisco
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Cisco (Network & Security)
  • No remediation available
9.8
CVSS
0.2%
EPSS
49
Priority
CVE-2026-20184
Act Now
Unpatched
A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service.
Edge exposure ICT dependency No patch available
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing technique: authentication-bypass
  • Third-party ICT: Cisco
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Cisco (Network & Security)
  • No remediation available
9.8
CVSS
0.1%
EPSS
49
Priority
CVE-2026-20093
Act Now
Unpatched
Authentication bypass in Cisco Integrated Management Controller (IMC) allows unauthenticated remote attackers to gain administrative access by exploiting improper password change request handling. Affected products include Cisco Enterprise NFV Infrastructure Software, Unified Computing System (Standalone), and UCS E-Series Software. The attacker can alter any user's password, including Admin accounts, and take full control of the management interface. CVSS 9.8 (Critical) with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, though EPSS data not available for comprehensive risk assessment.
Within 24 hours: Identify and inventory all Cisco IMC instances (Enterprise NFV Infrastructure, UCS Standalone, UCS E-Series) in your environment and isolate affected devices from untrusted networks; restrict management access to administrative networks only via firewall rules. Within 7 days: Contact Cisco support for patch availability and timeline, as no vendor-released patch is currently identified; implement network segmentation restricting management traffic to jump hosts with multi-factor authentication. Within 30 days: Apply vendor-released patch immediately upon availability; conduct password audit of all affected IMC administrative accounts and force reset of all credentials post-remediation.
Edge exposure ICT dependency No patch available PoC
Why flagged?
NIS2 Relevant
  • CRITICAL severity
  • Internet-facing (CWE-20: Improper Input Validation)
  • Third-party ICT: Cisco
  • Proof of concept available
  • No patch available
  • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
  • CRITICAL severity
  • ICT provider: Cisco (Network & Security)
  • No remediation available
9.8
CVSS
0.0%
EPSS
49
Priority

By Exposure

Internet-facing
58
Mgmt / Admin Plane
12
Identity / Auth
7
Internal only
59

By Exploitability

Known exploited
2
Public PoC
5
High EPSS (>30%)
0
Remote unauthenticated
53
Local only
13

By Remediation

Patch available
1
No patch
119
Workaround available
81
No workaround
38

Affected Services / Product Families

Cisco
120 CVE(s)
CVE-2026-20005 MEDIUM Unpatched
CVE-2026-20001 MEDIUM Unpatched
CVE-2026-20002 HIGH Unpatched
CVE-2026-20003 MEDIUM Unpatched
CVE-2026-20006 MEDIUM Unpatched
CVE-2026-20007 MEDIUM Unpatched
CVE-2026-20008 MEDIUM Unpatched
CVE-2026-20009 MEDIUM Unpatched
CVE-2026-20013 MEDIUM Unpatched
CVE-2026-20014 HIGH Unpatched
+ 110 more

Recommended Actions

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy