Skip to main content

Cisco CVE-2026-20104

| EUVDEUVD-2026-15435 MEDIUM
Buffer Underwrite ('Buffer Underflow') (CWE-124)
2026-03-25 cisco GHSA-38h5-57rq-7mj8
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:16 euvd
EUVD-2026-15435
Analysis Generated
Mar 25, 2026 - 16:16 vuln.today
CVE Published
Mar 25, 2026 - 16:05 nvd
MEDIUM 6.1

DescriptionCVE.org

A vulnerability in the bootloader of Cisco IOS XE Software for Cisco Catalyst 9200 Series Switches, Cisco Catalyst ESS9300 Embedded Series Switches, Cisco Catalyst IE9310 and IE9320 Rugged Series Switches, and Cisco IE3500 and IE3505 Rugged Series Switches could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute arbitrary code at boot time and break the chain of trust. This vulnerability is due to insufficient validation of software at boot time. An attacker could exploit this vulnerability by manipulating the loaded binaries on an affected device to bypass some of the integrity checks that are performed during the boot process. A successful exploit could allow the attacker to execute code that bypasses the requirement to run Cisco-signed images. Cisco has assigned this security advisory a Security Impact Rating (SIR) of High rather than Medium as the score indicates because this vulnerability allows an attacker to bypass a major security feature of a device.

AnalysisAI

This vulnerability in Cisco IOS XE Software bootloader affects Catalyst 9200, ESS9300, IE9310/9320, and IE3500/3505 series switches, allowing authenticated local attackers with level-15 privileges or unauthenticated attackers with physical access to execute arbitrary code at boot time and bypass the chain of trust. An attacker can manipulate loaded binaries to circumvent integrity checks during boot, enabling execution of non-Cisco-signed images. While the CVSS score is 6.1 (Medium), Cisco assigned it a High Security Impact Rating due to the critical nature of breaking the secure boot mechanism, a foundational security control.

Technical ContextAI

This vulnerability exists in the bootloader validation logic of Cisco IOS XE Software, classified under CWE-124 (Buffer Underflow), which relates to insufficient validation of software integrity at boot time. The affected products (identified via CPE cpe:2.3:a:cisco:cisco_ios_xe_software) span multiple hardware platforms including modular switches (Catalyst 9200 series), embedded switches (ESS9300), and rugged industrial switches (IE9310, IE9320, IE3500, IE3505). The bootloader performs integrity checks using cryptographic signatures to enforce that only Cisco-signed binaries execute. The vulnerability stems from incomplete validation logic that allows manipulation of binaries in storage to bypass signature verification, fundamentally undermining the secure boot chain of trust that prevents unauthorized code execution at the lowest privilege level of the device.

RemediationAI

Immediately consult the Cisco Security Advisory (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xe-secureboot-bypass-B6uYxYSZ) for patched IOS XE versions specific to your hardware platform and current software train. Upgrade to a confirmed patched release for your Catalyst or IE series switch as recommended by Cisco. Until patching is feasible, implement compensating controls: restrict physical access to affected switches to authorized personnel only, enforce strong authentication and authorization for administrative access (enforce level-15 privilege requirements), disable unnecessary local access ports, monitor for unauthorized binary modifications through file integrity checking tools, and consider network segmentation to limit exposure of compromised switches to critical systems. For supply-chain security, verify that replacement or pre-staged devices are running patched firmware versions before deployment.

Share

CVE-2026-20104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy