Skip to main content

Cisco SG350/SG350X CVE-2026-20185

| EUVDEUVD-2026-27857 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-05-06 cisco
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 17:31 vuln.today

DescriptionCVE.org

A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco 350 Series Managed Switches (SG350) and Cisco 350X Series Stackable Managed Switches (SG350X) firmware could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. 

This vulnerability is due to improper error handling when parsing response data for a specific SNMP request. An attacker could exploit this vulnerability by sending a specific SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMPv2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMPv3, the attacker must have valid SNMP user credentials for the affected system.

AnalysisAI

Cisco SG350 and SG350X managed switches can be remotely crashed via crafted SNMP requests, forcing unexpected device reloads. Authenticated attackers with valid SNMP credentials (read-only or read-write community strings for SNMPv1/v2c, or user credentials for SNMPv3) can trigger a heap-based buffer overflow in SNMP response parsing. Cisco confirmed this vulnerability affects all three SNMP versions (v1, v2c, v3) and published advisory cisco-sa-sg350-snmp-dos-GEFZr2Tj. EPSS and KEV status not provided in available data; exploitation requires network access with low complexity but does require valid SNMP authentication.

Technical ContextAI

This vulnerability affects the SNMP subsystem in Cisco Small Business 350 Series Managed Switches (SG350) and 350X Series Stackable Managed Switches (SG350X). The root cause is CWE-122 (Heap-based Buffer Overflow) occurring during SNMP response data parsing. When the SNMP agent processes certain malformed request types, improper error handling in the response parser leads to heap memory corruption. Unlike typical SNMP read-only vulnerabilities, this affects both read-only and read-write community string holders in SNMPv1/v2c deployments, as well as any valid SNMPv3 user regardless of privilege level. The vulnerability exists in the firmware's SNMP protocol stack across all three major SNMP versions, indicating a shared code path for response handling. The CPE identifier (cpe:2.3:a:cisco:cisco_small_business_smart_and_managed_switches) covers the entire Small Business switch product line, though the description specifically scopes this to SG350/SG350X models.

RemediationAI

Consult Cisco security advisory cisco-sa-sg350-snmp-dos-GEFZr2Tj at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sg350-snmp-dos-GEFZr2Tj for vendor-confirmed patch availability and exact fixed firmware versions for SG350 and SG350X switches. Apply the recommended firmware update as soon as operationally feasible following change control procedures. If immediate patching is not possible, implement these compensating controls: restrict SNMP access using management interface ACLs to permit only trusted monitoring systems and administrator workstations by IP address; rotate all SNMP community strings (SNMPv1/v2c) and SNMPv3 user credentials to strong, unique values not shared with other devices; migrate from SNMPv1/v2c to SNMPv3 with authentication and encryption (authPriv) to reduce credential exposure risk; disable SNMP entirely on switches where it is not operationally required for monitoring or management. These mitigations reduce attack surface but do not eliminate the vulnerability - authenticated attackers with legitimate access can still trigger the DoS condition. Network segmentation limiting SNMP access to dedicated management VLANs provides defense-in-depth but may conflict with distributed monitoring architectures.

Share

CVE-2026-20185 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy