Skip to main content

Cisco CVE-2026-20099

MEDIUM
OS Command Injection (CWE-78)
2026-02-25 psirt@cisco.com
6.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.7 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 25, 2026 - 17:25 nvd
MEDIUM 6.7

DescriptionCVE.org

A vulnerability in the web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker with administrative privileges to perform command injection attacks on an affected system and elevate privileges to root. 

This vulnerability is due to insufficient input validation of command arguments supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of the affected device with root-level privileges.

AnalysisAI

Insufficient input validation in Cisco FXOS and UCS Manager web interfaces enables authenticated administrators to inject arbitrary commands and achieve root-level code execution on affected systems. The vulnerability requires local access and valid admin credentials, allowing privileged attackers to bypass normal OS restrictions. No patch is currently available, and the lack of input sanitization on command arguments represents a critical privilege escalation vector for insider threats.

Technical ContextAI

Classified as CWE-78 (OS Command Injection). A vulnerability in the web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker with administrative privileges to perform command injection attacks on an affected system and elevate privileges to root. 

This vulnerability is due to insufficient input validation of command arguments supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input

Affected ProductsAI

Component: web-based management.

RemediationAI

Monitor vendor advisories for a patch.

Share

CVE-2026-20099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy