Cisco
Monthly
Denial of service in Cisco RoomOS software allows remote unauthenticated attackers to exhaust availability of affected collaboration endpoints and room-based video devices through improper handling of exceptional conditions (CWE-703). The issue was internally discovered by Cisco's RoomOS engineering team as part of a hardening release bundling multiple flaws under this identifier, carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), and has no public exploit identified at time of analysis. Note that the CVSS vector reflects availability-only impact even though a source tag labels it 'Information Disclosure,' a discrepancy defenders should verify against the Cisco advisory.
Remote denial of service in Cisco RoomOS software allows unauthenticated attackers to exhaust or corrupt a resource over the network, disrupting availability of Cisco collaboration room endpoints. Disclosed as part of a Cisco-internal security hardening review under the CWE-664 resource-lifetime pillar, the flaw carries a 7.5 CVSS score with an availability-only impact (C:N/I:N/A:H). No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Denial of service in Cisco RoomOS software allows remote, unauthenticated attackers to disrupt device availability through improperly validated input, resulting in a high availability impact (CVSS 7.5). The flaw was internally discovered during a Cisco engineering security review and shipped in a software hardening release bundling multiple CWE-20 input-validation issues. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Sensitive information disclosure affects Cisco RoomOS software running on Cisco collaboration room endpoints, where missing encryption (CWE-311) exposes data to an attacker positioned on the adjacent network. An adjacent, unauthenticated attacker who can intercept or manipulate traffic could access confidential information and potentially tamper with it, though successful exploitation carries high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was internally discovered by Cisco's RoomOS engineering team during a proactive hardening review.
Memory-corruption vulnerabilities in Cisco RoomOS Software (the operating system on Cisco/Webex collaboration room endpoints) allow remote, unauthenticated attackers to trigger buffer-boundary violations that can compromise device confidentiality, integrity, and availability (CVSS 8.1). The flaws were internally discovered by Cisco's RoomOS engineering team during a proactive security review and are grouped under the CWE-119 buffer-error pillar; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. High attack complexity (AC:H) reduces the practical ease of exploitation despite the network-facing, no-privilege vector.
Path traversal in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows a remote, authenticated attacker with administrative credentials to read or delete arbitrary files on the underlying operating system via crafted HTTP requests. Successful exploitation could expose sensitive configuration or credential files, or trigger destructive deletion of system files. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the high confidentiality impact and the critical role ISE plays in enterprise network access control make this notable for environments running affected versions.
Privilege escalation via improper access control in Cisco RoomOS software allows an authenticated attacker with low-level privileges to gain full control over affected collaboration endpoints, with high impact to confidentiality, integrity, and availability. The issue was discovered internally by Cisco's RoomOS engineering team during a proactive security review and is one of several access-control weaknesses grouped under CVE-2026-20150 and resolved in a single hardening release. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
An OS command injection vulnerability exists in the start_lltd() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The machine_name configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
An OS command injection vulnerability exists in the sub_34984() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The lan_ipv6_prefixlen configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
Root-level OS command injection in Cisco RV130/RV130W (firmware 1.0.3.55) and RV110W (firmware 1.2.2.5/1.2.2.8) small-business routers lets an authenticated remote attacker run arbitrary commands via the unsanitized model_name parameter in the httpd binary's save_syslog_to_file() function. Because injected commands run as root, successful exploitation yields full device takeover. Publicly available exploit code exists (SSVC exploitation status: poc) but the flaw is not listed in CISA KEV.
Root-level OS command injection in Cisco RV130, RV130W, and RV110W small-business routers lets an authenticated remote administrator inject arbitrary shell commands through the wan_hostname parameter, which is passed unsanitized into the start_bonjour() routine of the 'rc' binary. Because the 'rc' process runs as root, successful exploitation yields full command execution and complete device takeover. Publicly available exploit details exist in an IoT vulnerability write-up; there is no evidence of active exploitation (not in CISA KEV) and no EPSS score was provided.
Arbitrary file read in Cisco Catalyst Center lets an unauthenticated, remote attacker retrieve files from a restricted container by sending a crafted HTTP request that abuses insufficient input validation (path traversal, CWE-22). Rated CVSS 7.5 (confidentiality-only impact), it exposes sensitive container-side data without any credentials or user interaction. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Open redirect in the browser-based Cisco Webex App allowed unauthenticated remote attackers to redirect users to attacker-controlled websites by crafting malicious URLs with manipulated parameters. The vulnerability (CWE-601) stems from improper input validation of URL parameters in HTTP requests and scores CVSS 4.3 Medium (AV:N/AC:L/PR:N/UI:R). Cisco has fully remediated this server-side with no customer action required; no public exploit or CISA KEV listing exists at time of analysis.
Privilege escalation in the Cisco Umbrella Virtual Appliance vmadmin CLI enables an authenticated local attacker holding vmadmin-level credentials to elevate access to root on the affected device. The flaw, classified as CWE-269 (Improper Privilege Management), arises because the vmadmin CLI does not adequately validate or restrict specific commands that can be leveraged as a privilege escalation path. No public exploit code has been identified and the CVE is not listed in the CISA KEV catalog at time of analysis; the CVSS 6.0 Medium score reflects the high-privilege prerequisite that meaningfully constrains the realistic attacker pool.
Authenticated remote OS command injection in Cisco Crosswork Network Controller's web-based management interface allows a threat actor holding valid template user credentials with write permissions to execute arbitrary commands on the underlying operating system. The flaw resides in the configuration template engine, which fails to adequately validate attacker-supplied input before processing it, enabling CWE-74 injection. Impact is bounded to filesystem areas where the template user holds write access, reducing blast radius compared to full OS compromise; however, on a network automation controller, even scoped command execution can expose sensitive network configurations and automation workflows. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Information disclosure in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows unauthenticated remote attackers to retrieve sensitive data - including hashed credentials - by sending crafted traffic to an affected device. The root cause is missing authorization checks on a protected resource (CWE-285), making this an authentication-bypass-style information leak. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Authenticated remote command execution in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows administrators to run arbitrary OS commands and escalate to root via a crafted HTTP request. The flaw, tracked as CVE-2026-20181 and reported by Cisco with a CVSS 3.1 score of 9.1 (scope-changed), can also crash single-node deployments and deny network access to unauthenticated endpoints. There is no public exploit identified at time of analysis.
Arbitrary file write via path traversal in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated low-privileged attacker to create or overwrite any file on the underlying operating system by sending crafted HTTP requests to affected API endpoints. The vulnerability stems from insufficient validation of user-supplied input during the file upload process (CWE-22), and a successful exploit can serve as a reliable stepping stone to root-level privilege escalation on the management host. No public exploit has been identified at time of analysis, and the vulnerability is not currently listed in CISA KEV; however, the integrity impact combined with root escalation potential elevates real-world risk above the CVSS 6.5 Medium baseline.
Local privilege escalation in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated netadmin user to execute arbitrary commands as root by uploading a crafted file through the CLI. Cisco has observed limited real-world exploitation that resulted in unauthorized configuration changes being pushed to downstream edge devices, though the issue is not currently listed in CISA KEV and no public exploit code has been identified at time of analysis.
Server-side request forgery in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition allows remote unauthenticated attackers to write files to the underlying operating system via crafted HTTP requests, which Cisco notes can be leveraged to escalate to root. Cisco has assigned this a Critical Security Impact Rating despite the 8.6 CVSS score because of the root-escalation pathway. No public exploit identified at time of analysis, and exploitation requires the non-default WebDialer service to be enabled.
Remote File Inclusion (RFI) in Cisco Finesse enables unauthenticated remote attackers to load attacker-controlled files into an active user's browser session by exploiting insufficient validation of user-supplied HTTP request parameters. Exploitation requires social engineering an authenticated Finesse user into clicking a crafted URL referencing the affected device - no server-side authentication is needed from the attacker's perspective. A successful attack results in arbitrary JavaScript execution within the Finesse interface context (browser-based XSS-class impact) or unauthorized access to sensitive contact center information; no public exploit identified at time of analysis.
Cross-site scripting in Cisco Webex Meetings' web-based UI allowed unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by persuading them to follow a crafted malicious link. Insufficient input validation (CWE-79) in the Webex Meetings web interface is the root cause; the Changed Scope (S:C) in the CVSS vector indicates impact extends beyond the Webex application into the broader browser context, enabling session theft or browser-based data access. Cisco has fully remediated this server-side in the Webex cloud service, and no customer action is required. No public exploit code identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Command injection in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance lets an authenticated administrator upload a crafted certificate to execute arbitrary commands as root on the underlying operating system. The flaw stems from insufficient validation of user-supplied input (CWE-74) and carries a CVSS 7.2 (High) rating; the elevated impact comes from full root-level code execution despite the high-privilege precondition. No public exploit identified at time of analysis, and EPSS is very low at 0.04% (13th percentile), consistent with the CISA SSVC determination of no observed exploitation.
BGP session flapping denial-of-service in Cisco NX-OS on Nexus 3000 and 9000 Series Switches exposes data-center routing infrastructure to disruption from unauthenticated remote attackers. The flaw resides in the enforce-first-as BGP feature, where incorrect parsing of a transitive BGP attribute causes an affected switch to drop its BGP peer session and enter a flap loop upon receiving a crafted BGP UPDATE message. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the Changed scope in the CVSS vector reflects that the instability can propagate beyond the directly attacked peer, amplifying network-wide impact.
Command injection in the BrowserBot component of Cisco ThousandEyes Enterprise Agent (CWE-78) allows authenticated SaaS users with transaction test management privileges to execute arbitrary OS commands inside the BrowserBot container as the unprivileged 'node' user. Exploitation requires valid ThousandEyes SaaS credentials and the ability to manage transaction tests, scoping the realistic threat primarily to insiders and compromised privileged accounts. Cisco has already deployed a remediation server-side; no customer action is required. No public exploit code or CISA KEV listing exists at time of analysis.
Authentication bypass in Cisco Secure Workload allows unauthenticated remote attackers to invoke internal REST API endpoints and act with Site Admin privileges across tenant boundaries. The flaw carries a maximum CVSS 10.0 score with a changed scope and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation enables reading sensitive tenant data and modifying configuration globally, making this a critical-priority issue for any organization running affected versions.
Remote file disclosure in Cisco Catalyst SD-WAN Manager allows unauthenticated attackers to read arbitrary system files via XML External Entity (XXE) injection in the web UI. The vulnerability affects the management interface with network-accessible attack vector, low complexity, and no required privileges (CVSS 8.6). Attackers can extract sensitive configuration files, credentials, and operational data from the SD-WAN management platform. EPSS data not provided; exploitation status unknown but the unauthenticated remote vector and publicly disclosed Cisco advisory elevate real-world risk for internet-exposed instances.
Cisco Catalyst SD-WAN Manager web UI fails to properly redact sensitive information in device configurations and templates, allowing authenticated users with read-only permissions to extract and leverage privileged credentials to escalate their access and modify system configurations. The vulnerability affects all versions of the product and requires only network access and valid (albeit minimal) read-only credentials; successful exploitation grants attackers high-privileged administrative capability over the SD-WAN fabric.
Privilege escalation in Cisco Catalyst SD-WAN Manager allows authenticated users with read-only permissions to elevate privileges to high-privileged user level through exposure of sensitive session information in audit logs. An attacker with initial read-only access can extract high-privilege session credentials from audit logs and impersonate an administrator, bypassing intended access controls. CVSS score 5.4 (medium) reflects the requirement for initial authentication, though the ease of escalation (AC:L) and direct path to administrative capability represent significant risk in multi-tenant or shared SD-WAN deployments.
Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) to obtain administrative privileges and manipulate network configurations across the entire SD-WAN fabric. This critical authentication bypass (CVSS 10.0) allows direct NETCONF access as a high-privileged internal user without any credentials. Cisco released fixes in May 2026 following discovery of this second authentication flaw after a February 2026 disclosure of a related vulnerability. No active exploitation confirmed in CISA KEV at time of analysis, though the maximum CVSS score and authentication bypass nature make this a priority patching target for SD-WAN deployments.
Insecure direct object reference (IDOR) in Cisco Slido REST API allows authenticated remote attackers to view other users' social profile data and manipulate quiz or poll results. The vulnerability requires valid authentication but no user interaction, affecting confidentiality and integrity of user data and poll integrity. Cisco has released a patched version; no public exploit code or active exploitation has been identified at the time of analysis.
Remote code execution in Cisco Unity Connection allows authenticated remote attackers with low-privilege credentials to execute arbitrary code as root via crafted API requests to the web management interface. Successful exploitation enables complete device compromise. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid user credentials (PR:L). No public exploit code or active exploitation confirmed at time of analysis. EPSS data not available in provided intelligence.
Server-Side Request Forgery (SSRF) in Cisco Unity Connection Web Inbox allows remote unauthenticated attackers to send arbitrary network requests sourced from the vulnerable server. The vulnerability affects the web UI component and requires no authentication, privileges, or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), enabling attackers to abuse the server's network position for internal network reconnaissance, service enumeration, or attacks against backend systems. The changed scope (S:C) indicates impact extends beyond the vulnerable component to other network resources accessible from the Unity Connection server.
Cisco IoT Field Network Director enables authenticated remote attackers with low-level privileges to crash remotely managed routers by submitting crafted requests through the web-based management interface. The vulnerability causes improper error handling that allows requesting unauthorized files from managed routers, forcing them to reload and creating a denial-of-service condition (CVSS 7.7, Changed Scope). No public exploit or active exploitation reported at time of analysis.
Cisco IoT Field Network Director's web-based management interface allows authenticated remote attackers with low privileges to execute arbitrary commands and access files on managed routers via insufficient input validation in the web interface. The vulnerability enables file creation, deletion, read operations, and execution of limited commands in user EXEC mode on remote routers. CVSS 6.4 (medium severity); no active exploitation or public POC identified at time of analysis.
Authenticated remote attackers with low privileges can read arbitrary files via insufficient access controls in the web-based management interface of Cisco IoT Field Network Director. Exploitation requires valid login credentials and submission of crafted input through the management UI; successful attacks result in unauthorized file disclosure but do not enable modification or system disruption. No public exploit code or active exploitation has been identified at time of analysis.
Cisco Enterprise Chat and Email (ECE) Lite Agent feature allows authenticated remote attackers with Agent role credentials to upload files containing malicious scripts or HTML, which are then served to other users without adequate content validation. Successful exploitation enables stored cross-site scripting (XSS) attacks in victim browsers. The vulnerability requires valid user credentials and Agent role privileges but no user interaction on the victim side, affecting confidentiality and integrity but not availability.
Denial of service in Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) allows remote unauthenticated attackers to exhaust connection resources by flooding the system with connection requests, forcing a manual reboot to restore service. CVSS 7.5 (High) with network vector and no authentication required. No public exploit code identified at time of analysis, and EPSS data not available. The vulnerability stems from inadequate rate-limiting on incoming connections (CWE-400), affecting critical network orchestration infrastructure used for automation and service provisioning.
Cisco Prime Infrastructure log file download functionality fails to enforce proper authorization checks, allowing authenticated remote attackers to download arbitrary log files beyond their access level. An attacker with valid web management interface credentials can submit crafted URL requests to the affected download service API to retrieve sensitive logs, resulting in confidential information disclosure. CVSS score of 4.3 reflects low immediate impact but legitimate data exposure risk for organizations using this management platform.
Cisco SG350 and SG350X managed switches can be remotely crashed via crafted SNMP requests, forcing unexpected device reloads. Authenticated attackers with valid SNMP credentials (read-only or read-write community strings for SNMPv1/v2c, or user credentials for SNMPv3) can trigger a heap-based buffer overflow in SNMP response parsing. Cisco confirmed this vulnerability affects all three SNMP versions (v1, v2c, v3) and published advisory cisco-sa-sg350-snmp-dos-GEFZr2Tj. EPSS and KEV status not provided in available data; exploitation requires network access with low complexity but does require valid SNMP authentication.
Cisco Identity Services Engine allows authenticated read-only administrators to bypass role-based access control on RADIUS Policy API endpoints and gain unauthorized read access to sensitive policy details through direct API calls. The vulnerability affects ISE software across versions due to improper RBAC enforcement on API endpoints, enabling privilege escalation from read-only to unauthorized data disclosure. CVSS score is 4.3 with low attack complexity, but exploitation requires valid administrative credentials.
Unauthenticated remote attackers can enumerate valid user accounts on Cisco Identity Services Engine through an identity management API endpoint by analyzing differentiated error responses to crafted requests. The vulnerability enables account enumeration with no authentication required, network-accessible attack surface, and low complexity exploitation, resulting in partial information disclosure of valid usernames on affected systems.
Unauthenticated network attackers can access an exposed API passthrough endpoint on TCP port 7373 in Cisco Intersight Device Connector for Nutanix Prism Central, enabling enumeration of cluster metadata and invocation of cluster maintenance workflows that may disrupt active workloads. The vulnerability stems from missing authentication controls on a network-accessible service endpoint and carries a CVSS 6.7 score reflecting high availability impact despite limited confidentiality and integrity exposure. No public exploit code or active exploitation has been confirmed, but the attack requires no special conditions beyond network access to the deployment environment.
A vulnerability in the CLI of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, local attacker with administrative privileges to perform a command injection attack on the underlying operating system and elevate privileges to root. This vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by providing crafted input to a specific CLI command. A successful exploit could allow the attacker to elevate their privileges to root on the underlying operating system.
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device.
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of HTTP request parameters. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious web page.
A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer action is needed. This vulnerability existed because HTML and script content was not properly handled. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to steal sensitive information from the browser, including authentication and session information.
A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. This vulnerability existed because of improper certificate validation. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by connecting to a service endpoint and supplying a crafted token. A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services.
A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
A vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requirements. This vulnerability is due to improper validation of user-supplied authentication input in HTTP requests. An attacker could exploit this vulnerability by sending HTTP requests that contain specific authentication requests to an affected device. A successful exploit could allow the attacker to bypass policy enforcement on the device. There is no direct impact to the Cisco Secure Web Appliance. However, as a result of exploiting this vulnerability, an attacker could send HTTP requests that should be restricted through the device.
A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device.
A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to perform path traversal attacks on the underlying operating system and read arbitrary files. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system.
A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system.
Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system.
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative write privileges to conduct a stored cross-site scripting (XSS) attack or a reflected XSS attack against a user of the web-based management interface of an affected device. These vulnerabilities are due to insufficient sanitization of user-supplied data that is stored in the web page. An attacker could exploit these vulnerabilities by convincing a user of the interface to click a specific link or view an affected web page. The injected script code may be executed in the context of the web-based management interface or allow the attacker to access sensitive browser-based information.
Stored XSS in Cisco IMC web management interface allows authenticated administrators to inject arbitrary script code executed in users' browsers via insufficient input validation. Affects Cisco Enterprise NFV Infrastructure Software, Cisco Unified Computing System (Standalone), and Cisco UCS E-Series Software. Requires administrative privileges and user interaction (clicking a crafted link), resulting in session hijacking, credential theft, or unauthorized access to sensitive browser-based information. No public exploit code identified at time of analysis.
Stored cross-site scripting (XSS) in Cisco IMC web management interface allows authenticated administrators to inject persistent malicious scripts that execute in other users' browsers via crafted links. Affects Cisco Enterprise NFV Infrastructure Software, Unified Computing System (standalone), and UCS E-Series. No public exploit code or active exploitation confirmed; patch availability not independently verified from provided data.
Stored XSS in Cisco IMC web management interface allows authenticated administrators to inject arbitrary script code via insufficient input validation. Attackers with admin privileges can craft malicious links that execute JavaScript in the browsers of other users accessing the interface, potentially compromising session security, stealing credentials, or accessing sensitive information. No public exploit code or active exploitation has been confirmed; the vulnerability requires administrator privileges and user interaction to trigger.
Stored cross-site scripting (XSS) in Cisco IMC web management interface allows authenticated administrators to inject malicious script code that executes in the browsers of other users accessing the interface. An attacker with administrative credentials can exploit insufficient input validation by crafting a malicious link and tricking a user into clicking it, enabling arbitrary script execution or theft of sensitive browser-based information. No public exploit code or active exploitation has been identified at time of analysis.
Remote code execution in Cisco Smart Software Manager On-Prem allows unauthenticated attackers to execute arbitrary commands with root privileges via an exposed internal service API. The vulnerability stems from unintentional exposure of an internal service that accepts crafted API requests, enabling full system compromise. With a CVSS score of 9.8 and complete attack vector accessibility over the network requiring no authentication or user interaction, this represents a critical security exposure for organizations using SSM On-Prem for Cisco software license management, though no public exploit identified at time of analysis.
Cisco Nexus Dashboard Insights metadata update feature allows authenticated administrators to write arbitrary files to the system with root privileges through path traversal in insufficiently validated metadata files. An attacker with valid administrative credentials can craft and manually upload a malicious metadata file to achieve arbitrary file write access to the underlying operating system. This vulnerability affects Cisco Nexus Dashboard and Nexus Dashboard Insights deployments, particularly those using manual metadata uploads in air-gap environments. CVSS score of 4.9 reflects the requirement for high-privilege authentication, though the integrity impact is rated as high given the ability to write files as root.
Privilege escalation in Cisco Smart Software Manager On-Prem (SSM On-Prem) web interface allows authenticated remote attackers with System User role to gain administrative access by intercepting session credentials from status messages. CVSS 7.3 (High severity) with network attack vector, low complexity, and requires low privileges plus user interaction. No public exploit code or active exploitation confirmed at time of analysis (EPSS data not provided).
Improper authorization in Cisco EPNM's REST API allows authenticated low-privilege attackers to access active user session data, including administrative credentials, enabling full device compromise. The vulnerability (CWE-862: Missing Authorization) affects the web management interface with CVSS 8.0 severity. Authentication is required (PR:L) but exploitation complexity is low once authenticated. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026-dated CVE identifier.
Command injection in Cisco IMC web management interface allows authenticated admin-level attackers to execute arbitrary commands as root through improper input validation. Affects Cisco Enterprise NFV Infrastructure Software, Unified Computing System (standalone), and UCS E-Series platforms. No public exploit code or active exploitation confirmed at time of analysis, but the high-privileged context and root-level impact necessitate swift patching.
Cisco IMC web-based management interface allows authenticated administrators to execute arbitrary code as root through improper input validation in HTTP requests. The vulnerability affects Cisco Unified Computing System (standalone) and requires admin-level credentials and network access; successful exploitation grants attacker root-level code execution on the underlying operating system. No public exploit code or active exploitation has been identified at time of analysis.
Command injection in Cisco Integrated Management Controller (IMC) web interface allows authenticated attackers with read-only privileges to execute arbitrary commands as root. The CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N) confirms network-accessible exploitation requiring only low-privilege authentication, with no public exploit identified at time of analysis. EPSS data not provided; CVE-2026 prefix suggests future disclosure.
Command injection in Cisco IMC web-based management interface allows authenticated remote attackers with admin-level privileges to execute arbitrary commands as root. The vulnerability stems from improper input validation in the web interface, enabling attackers to inject crafted commands that execute on the underlying operating system with elevated privileges. While the CVSS score is 6.5 (Medium), Cisco assigned a High Security Impact Rating due to the root-level code execution capability and potential for post-compromise lateral movement or system takeover.
Authentication bypass in Cisco Integrated Management Controller (IMC) allows unauthenticated remote attackers to gain administrative access by exploiting improper password change request handling. Affected products include Cisco Enterprise NFV Infrastructure Software, Unified Computing System (Standalone), and UCS E-Series Software. The attacker can alter any user's password, including Admin accounts, and take full control of the management interface. CVSS 9.8 (Critical) with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, though EPSS data not available for comprehensive risk assessment.
Reflected XSS in Cisco IMC web management interface allows unauthenticated remote attackers to execute arbitrary JavaScript in user browsers via crafted links. Affects Cisco Enterprise NFV Infrastructure Software, Cisco Unified Computing System (standalone), and UCS E-Series Software. Exploitation requires user interaction (clicking a malicious link) but could lead to session hijacking, credential theft, or malware delivery to privileged administrators managing critical infrastructure.
Server-side request forgery in Cisco Nexus Dashboard and Nexus Dashboard Insights allows unauthenticated remote attackers to conduct SSRF attacks by tricking authenticated users into clicking malicious links, enabling arbitrary network requests from the affected device and potential execution of arbitrary script code or access to sensitive browser data. CVSS 6.1 with no public exploit or active exploitation confirmed at time of analysis.
Cisco Nexus Dashboard configuration backup feature allows authenticated administrators to extract sensitive authentication credentials from encrypted backup files, enabling subsequent unauthorized access to internal APIs and arbitrary root-level command execution on the underlying operating system. The vulnerability requires possession of both a valid backup file and its encryption password, limiting exploitation to administrators or attackers with backup file access. CVSS 6.5 reflects the high-privilege requirement (PR:H) despite high confidentiality and integrity impact; no public exploit or active exploitation has been identified.
Cisco Catalyst SD-WAN Manager's web interface contains a reflected cross-site scripting (XSS) vulnerability that requires user interaction and authentication to exploit. An attacker can craft a malicious link to execute arbitrary JavaScript in a victim's browser session, potentially stealing sensitive information or performing unauthorized actions within the management interface. No patch is currently available.
A stored cross-site scripting (XSS) vulnerability exists in the web-based Cisco IOx application hosting environment management interface within Cisco IOS XE Software, allowing authenticated remote attackers with administrative credentials to inject malicious scripts that execute in the context of other users' browser sessions. Successful exploitation enables arbitrary script execution and access to sensitive browser-based information affecting a wide range of Cisco IOS XE versions from 16.6.1 through 17.18.1a. This vulnerability requires valid administrative credentials and user interaction but poses a significant risk in multi-administrator environments where privilege escalation or lateral movement could occur.
Denial of service in Cisco RoomOS software allows remote unauthenticated attackers to exhaust availability of affected collaboration endpoints and room-based video devices through improper handling of exceptional conditions (CWE-703). The issue was internally discovered by Cisco's RoomOS engineering team as part of a hardening release bundling multiple flaws under this identifier, carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), and has no public exploit identified at time of analysis. Note that the CVSS vector reflects availability-only impact even though a source tag labels it 'Information Disclosure,' a discrepancy defenders should verify against the Cisco advisory.
Remote denial of service in Cisco RoomOS software allows unauthenticated attackers to exhaust or corrupt a resource over the network, disrupting availability of Cisco collaboration room endpoints. Disclosed as part of a Cisco-internal security hardening review under the CWE-664 resource-lifetime pillar, the flaw carries a 7.5 CVSS score with an availability-only impact (C:N/I:N/A:H). No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Denial of service in Cisco RoomOS software allows remote, unauthenticated attackers to disrupt device availability through improperly validated input, resulting in a high availability impact (CVSS 7.5). The flaw was internally discovered during a Cisco engineering security review and shipped in a software hardening release bundling multiple CWE-20 input-validation issues. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Sensitive information disclosure affects Cisco RoomOS software running on Cisco collaboration room endpoints, where missing encryption (CWE-311) exposes data to an attacker positioned on the adjacent network. An adjacent, unauthenticated attacker who can intercept or manipulate traffic could access confidential information and potentially tamper with it, though successful exploitation carries high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was internally discovered by Cisco's RoomOS engineering team during a proactive hardening review.
Memory-corruption vulnerabilities in Cisco RoomOS Software (the operating system on Cisco/Webex collaboration room endpoints) allow remote, unauthenticated attackers to trigger buffer-boundary violations that can compromise device confidentiality, integrity, and availability (CVSS 8.1). The flaws were internally discovered by Cisco's RoomOS engineering team during a proactive security review and are grouped under the CWE-119 buffer-error pillar; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. High attack complexity (AC:H) reduces the practical ease of exploitation despite the network-facing, no-privilege vector.
Path traversal in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows a remote, authenticated attacker with administrative credentials to read or delete arbitrary files on the underlying operating system via crafted HTTP requests. Successful exploitation could expose sensitive configuration or credential files, or trigger destructive deletion of system files. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the high confidentiality impact and the critical role ISE plays in enterprise network access control make this notable for environments running affected versions.
Privilege escalation via improper access control in Cisco RoomOS software allows an authenticated attacker with low-level privileges to gain full control over affected collaboration endpoints, with high impact to confidentiality, integrity, and availability. The issue was discovered internally by Cisco's RoomOS engineering team during a proactive security review and is one of several access-control weaknesses grouped under CVE-2026-20150 and resolved in a single hardening release. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
An OS command injection vulnerability exists in the start_lltd() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The machine_name configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
An OS command injection vulnerability exists in the sub_34984() function of the "rc" binary in Cisco RV130/RV130W with firmware 1.0.3.55 and RV110W routers with firmware 1.2.2.5 / 1.2.2.8. The lan_ipv6_prefixlen configuration parameter is not properly sanitized, which could allow an authenticated remote attacker to execute arbitrary OS commands with root privileges.
Root-level OS command injection in Cisco RV130/RV130W (firmware 1.0.3.55) and RV110W (firmware 1.2.2.5/1.2.2.8) small-business routers lets an authenticated remote attacker run arbitrary commands via the unsanitized model_name parameter in the httpd binary's save_syslog_to_file() function. Because injected commands run as root, successful exploitation yields full device takeover. Publicly available exploit code exists (SSVC exploitation status: poc) but the flaw is not listed in CISA KEV.
Root-level OS command injection in Cisco RV130, RV130W, and RV110W small-business routers lets an authenticated remote administrator inject arbitrary shell commands through the wan_hostname parameter, which is passed unsanitized into the start_bonjour() routine of the 'rc' binary. Because the 'rc' process runs as root, successful exploitation yields full command execution and complete device takeover. Publicly available exploit details exist in an IoT vulnerability write-up; there is no evidence of active exploitation (not in CISA KEV) and no EPSS score was provided.
Arbitrary file read in Cisco Catalyst Center lets an unauthenticated, remote attacker retrieve files from a restricted container by sending a crafted HTTP request that abuses insufficient input validation (path traversal, CWE-22). Rated CVSS 7.5 (confidentiality-only impact), it exposes sensitive container-side data without any credentials or user interaction. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Open redirect in the browser-based Cisco Webex App allowed unauthenticated remote attackers to redirect users to attacker-controlled websites by crafting malicious URLs with manipulated parameters. The vulnerability (CWE-601) stems from improper input validation of URL parameters in HTTP requests and scores CVSS 4.3 Medium (AV:N/AC:L/PR:N/UI:R). Cisco has fully remediated this server-side with no customer action required; no public exploit or CISA KEV listing exists at time of analysis.
Privilege escalation in the Cisco Umbrella Virtual Appliance vmadmin CLI enables an authenticated local attacker holding vmadmin-level credentials to elevate access to root on the affected device. The flaw, classified as CWE-269 (Improper Privilege Management), arises because the vmadmin CLI does not adequately validate or restrict specific commands that can be leveraged as a privilege escalation path. No public exploit code has been identified and the CVE is not listed in the CISA KEV catalog at time of analysis; the CVSS 6.0 Medium score reflects the high-privilege prerequisite that meaningfully constrains the realistic attacker pool.
Authenticated remote OS command injection in Cisco Crosswork Network Controller's web-based management interface allows a threat actor holding valid template user credentials with write permissions to execute arbitrary commands on the underlying operating system. The flaw resides in the configuration template engine, which fails to adequately validate attacker-supplied input before processing it, enabling CWE-74 injection. Impact is bounded to filesystem areas where the template user holds write access, reducing blast radius compared to full OS compromise; however, on a network automation controller, even scoped command execution can expose sensitive network configurations and automation workflows. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Information disclosure in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows unauthenticated remote attackers to retrieve sensitive data - including hashed credentials - by sending crafted traffic to an affected device. The root cause is missing authorization checks on a protected resource (CWE-285), making this an authentication-bypass-style information leak. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Authenticated remote command execution in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) allows administrators to run arbitrary OS commands and escalate to root via a crafted HTTP request. The flaw, tracked as CVE-2026-20181 and reported by Cisco with a CVSS 3.1 score of 9.1 (scope-changed), can also crash single-node deployments and deny network access to unauthenticated endpoints. There is no public exploit identified at time of analysis.
Arbitrary file write via path traversal in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated low-privileged attacker to create or overwrite any file on the underlying operating system by sending crafted HTTP requests to affected API endpoints. The vulnerability stems from insufficient validation of user-supplied input during the file upload process (CWE-22), and a successful exploit can serve as a reliable stepping stone to root-level privilege escalation on the management host. No public exploit has been identified at time of analysis, and the vulnerability is not currently listed in CISA KEV; however, the integrity impact combined with root escalation potential elevates real-world risk above the CVSS 6.5 Medium baseline.
Local privilege escalation in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) allows an authenticated netadmin user to execute arbitrary commands as root by uploading a crafted file through the CLI. Cisco has observed limited real-world exploitation that resulted in unauthorized configuration changes being pushed to downstream edge devices, though the issue is not currently listed in CISA KEV and no public exploit code has been identified at time of analysis.
Server-side request forgery in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition allows remote unauthenticated attackers to write files to the underlying operating system via crafted HTTP requests, which Cisco notes can be leveraged to escalate to root. Cisco has assigned this a Critical Security Impact Rating despite the 8.6 CVSS score because of the root-escalation pathway. No public exploit identified at time of analysis, and exploitation requires the non-default WebDialer service to be enabled.
Remote File Inclusion (RFI) in Cisco Finesse enables unauthenticated remote attackers to load attacker-controlled files into an active user's browser session by exploiting insufficient validation of user-supplied HTTP request parameters. Exploitation requires social engineering an authenticated Finesse user into clicking a crafted URL referencing the affected device - no server-side authentication is needed from the attacker's perspective. A successful attack results in arbitrary JavaScript execution within the Finesse interface context (browser-based XSS-class impact) or unauthorized access to sensitive contact center information; no public exploit identified at time of analysis.
Cross-site scripting in Cisco Webex Meetings' web-based UI allowed unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by persuading them to follow a crafted malicious link. Insufficient input validation (CWE-79) in the Webex Meetings web interface is the root cause; the Changed Scope (S:C) in the CVSS vector indicates impact extends beyond the Webex application into the broader browser context, enabling session theft or browser-based data access. Cisco has fully remediated this server-side in the Webex cloud service, and no customer action is required. No public exploit code identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Command injection in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance lets an authenticated administrator upload a crafted certificate to execute arbitrary commands as root on the underlying operating system. The flaw stems from insufficient validation of user-supplied input (CWE-74) and carries a CVSS 7.2 (High) rating; the elevated impact comes from full root-level code execution despite the high-privilege precondition. No public exploit identified at time of analysis, and EPSS is very low at 0.04% (13th percentile), consistent with the CISA SSVC determination of no observed exploitation.
BGP session flapping denial-of-service in Cisco NX-OS on Nexus 3000 and 9000 Series Switches exposes data-center routing infrastructure to disruption from unauthenticated remote attackers. The flaw resides in the enforce-first-as BGP feature, where incorrect parsing of a transitive BGP attribute causes an affected switch to drop its BGP peer session and enter a flap loop upon receiving a crafted BGP UPDATE message. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the Changed scope in the CVSS vector reflects that the instability can propagate beyond the directly attacked peer, amplifying network-wide impact.
Command injection in the BrowserBot component of Cisco ThousandEyes Enterprise Agent (CWE-78) allows authenticated SaaS users with transaction test management privileges to execute arbitrary OS commands inside the BrowserBot container as the unprivileged 'node' user. Exploitation requires valid ThousandEyes SaaS credentials and the ability to manage transaction tests, scoping the realistic threat primarily to insiders and compromised privileged accounts. Cisco has already deployed a remediation server-side; no customer action is required. No public exploit code or CISA KEV listing exists at time of analysis.
Authentication bypass in Cisco Secure Workload allows unauthenticated remote attackers to invoke internal REST API endpoints and act with Site Admin privileges across tenant boundaries. The flaw carries a maximum CVSS 10.0 score with a changed scope and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation enables reading sensitive tenant data and modifying configuration globally, making this a critical-priority issue for any organization running affected versions.
Remote file disclosure in Cisco Catalyst SD-WAN Manager allows unauthenticated attackers to read arbitrary system files via XML External Entity (XXE) injection in the web UI. The vulnerability affects the management interface with network-accessible attack vector, low complexity, and no required privileges (CVSS 8.6). Attackers can extract sensitive configuration files, credentials, and operational data from the SD-WAN management platform. EPSS data not provided; exploitation status unknown but the unauthenticated remote vector and publicly disclosed Cisco advisory elevate real-world risk for internet-exposed instances.
Cisco Catalyst SD-WAN Manager web UI fails to properly redact sensitive information in device configurations and templates, allowing authenticated users with read-only permissions to extract and leverage privileged credentials to escalate their access and modify system configurations. The vulnerability affects all versions of the product and requires only network access and valid (albeit minimal) read-only credentials; successful exploitation grants attackers high-privileged administrative capability over the SD-WAN fabric.
Privilege escalation in Cisco Catalyst SD-WAN Manager allows authenticated users with read-only permissions to elevate privileges to high-privileged user level through exposure of sensitive session information in audit logs. An attacker with initial read-only access can extract high-privilege session credentials from audit logs and impersonate an administrator, bypassing intended access controls. CVSS score 5.4 (medium) reflects the requirement for initial authentication, though the ease of escalation (AC:L) and direct path to administrative capability represent significant risk in multi-tenant or shared SD-WAN deployments.
Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) to obtain administrative privileges and manipulate network configurations across the entire SD-WAN fabric. This critical authentication bypass (CVSS 10.0) allows direct NETCONF access as a high-privileged internal user without any credentials. Cisco released fixes in May 2026 following discovery of this second authentication flaw after a February 2026 disclosure of a related vulnerability. No active exploitation confirmed in CISA KEV at time of analysis, though the maximum CVSS score and authentication bypass nature make this a priority patching target for SD-WAN deployments.
Insecure direct object reference (IDOR) in Cisco Slido REST API allows authenticated remote attackers to view other users' social profile data and manipulate quiz or poll results. The vulnerability requires valid authentication but no user interaction, affecting confidentiality and integrity of user data and poll integrity. Cisco has released a patched version; no public exploit code or active exploitation has been identified at the time of analysis.
Remote code execution in Cisco Unity Connection allows authenticated remote attackers with low-privilege credentials to execute arbitrary code as root via crafted API requests to the web management interface. Successful exploitation enables complete device compromise. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid user credentials (PR:L). No public exploit code or active exploitation confirmed at time of analysis. EPSS data not available in provided intelligence.
Server-Side Request Forgery (SSRF) in Cisco Unity Connection Web Inbox allows remote unauthenticated attackers to send arbitrary network requests sourced from the vulnerable server. The vulnerability affects the web UI component and requires no authentication, privileges, or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), enabling attackers to abuse the server's network position for internal network reconnaissance, service enumeration, or attacks against backend systems. The changed scope (S:C) indicates impact extends beyond the vulnerable component to other network resources accessible from the Unity Connection server.
Cisco IoT Field Network Director enables authenticated remote attackers with low-level privileges to crash remotely managed routers by submitting crafted requests through the web-based management interface. The vulnerability causes improper error handling that allows requesting unauthorized files from managed routers, forcing them to reload and creating a denial-of-service condition (CVSS 7.7, Changed Scope). No public exploit or active exploitation reported at time of analysis.
Cisco IoT Field Network Director's web-based management interface allows authenticated remote attackers with low privileges to execute arbitrary commands and access files on managed routers via insufficient input validation in the web interface. The vulnerability enables file creation, deletion, read operations, and execution of limited commands in user EXEC mode on remote routers. CVSS 6.4 (medium severity); no active exploitation or public POC identified at time of analysis.
Authenticated remote attackers with low privileges can read arbitrary files via insufficient access controls in the web-based management interface of Cisco IoT Field Network Director. Exploitation requires valid login credentials and submission of crafted input through the management UI; successful attacks result in unauthorized file disclosure but do not enable modification or system disruption. No public exploit code or active exploitation has been identified at time of analysis.
Cisco Enterprise Chat and Email (ECE) Lite Agent feature allows authenticated remote attackers with Agent role credentials to upload files containing malicious scripts or HTML, which are then served to other users without adequate content validation. Successful exploitation enables stored cross-site scripting (XSS) attacks in victim browsers. The vulnerability requires valid user credentials and Agent role privileges but no user interaction on the victim side, affecting confidentiality and integrity but not availability.
Denial of service in Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) allows remote unauthenticated attackers to exhaust connection resources by flooding the system with connection requests, forcing a manual reboot to restore service. CVSS 7.5 (High) with network vector and no authentication required. No public exploit code identified at time of analysis, and EPSS data not available. The vulnerability stems from inadequate rate-limiting on incoming connections (CWE-400), affecting critical network orchestration infrastructure used for automation and service provisioning.
Cisco Prime Infrastructure log file download functionality fails to enforce proper authorization checks, allowing authenticated remote attackers to download arbitrary log files beyond their access level. An attacker with valid web management interface credentials can submit crafted URL requests to the affected download service API to retrieve sensitive logs, resulting in confidential information disclosure. CVSS score of 4.3 reflects low immediate impact but legitimate data exposure risk for organizations using this management platform.
Cisco SG350 and SG350X managed switches can be remotely crashed via crafted SNMP requests, forcing unexpected device reloads. Authenticated attackers with valid SNMP credentials (read-only or read-write community strings for SNMPv1/v2c, or user credentials for SNMPv3) can trigger a heap-based buffer overflow in SNMP response parsing. Cisco confirmed this vulnerability affects all three SNMP versions (v1, v2c, v3) and published advisory cisco-sa-sg350-snmp-dos-GEFZr2Tj. EPSS and KEV status not provided in available data; exploitation requires network access with low complexity but does require valid SNMP authentication.
Cisco Identity Services Engine allows authenticated read-only administrators to bypass role-based access control on RADIUS Policy API endpoints and gain unauthorized read access to sensitive policy details through direct API calls. The vulnerability affects ISE software across versions due to improper RBAC enforcement on API endpoints, enabling privilege escalation from read-only to unauthorized data disclosure. CVSS score is 4.3 with low attack complexity, but exploitation requires valid administrative credentials.
Unauthenticated remote attackers can enumerate valid user accounts on Cisco Identity Services Engine through an identity management API endpoint by analyzing differentiated error responses to crafted requests. The vulnerability enables account enumeration with no authentication required, network-accessible attack surface, and low complexity exploitation, resulting in partial information disclosure of valid usernames on affected systems.
Unauthenticated network attackers can access an exposed API passthrough endpoint on TCP port 7373 in Cisco Intersight Device Connector for Nutanix Prism Central, enabling enumeration of cluster metadata and invocation of cluster maintenance workflows that may disrupt active workloads. The vulnerability stems from missing authentication controls on a network-accessible service endpoint and carries a CVSS 6.7 score reflecting high availability impact despite limited confidentiality and integrity exposure. No public exploit code or active exploitation has been confirmed, but the attack requires no special conditions beyond network access to the deployment environment.
A vulnerability in the CLI of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, local attacker with administrative privileges to perform a command injection attack on the underlying operating system and elevate privileges to root. This vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by providing crafted input to a specific CLI command. A successful exploit could allow the attacker to elevate their privileges to root on the underlying operating system.
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device.
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of HTTP request parameters. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious web page.
A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer action is needed. This vulnerability existed because HTML and script content was not properly handled. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to steal sensitive information from the browser, including authentication and session information.
A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. This vulnerability existed because of improper certificate validation. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by connecting to a service endpoint and supplying a crafted token. A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services.
A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
A vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requirements. This vulnerability is due to improper validation of user-supplied authentication input in HTTP requests. An attacker could exploit this vulnerability by sending HTTP requests that contain specific authentication requests to an affected device. A successful exploit could allow the attacker to bypass policy enforcement on the device. There is no direct impact to the Cisco Secure Web Appliance. However, as a result of exploiting this vulnerability, an attacker could send HTTP requests that should be restricted through the device.
A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device.
A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to perform path traversal attacks on the underlying operating system and read arbitrary files. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system.
A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system.
Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system.
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative write privileges to conduct a stored cross-site scripting (XSS) attack or a reflected XSS attack against a user of the web-based management interface of an affected device. These vulnerabilities are due to insufficient sanitization of user-supplied data that is stored in the web page. An attacker could exploit these vulnerabilities by convincing a user of the interface to click a specific link or view an affected web page. The injected script code may be executed in the context of the web-based management interface or allow the attacker to access sensitive browser-based information.
Stored XSS in Cisco IMC web management interface allows authenticated administrators to inject arbitrary script code executed in users' browsers via insufficient input validation. Affects Cisco Enterprise NFV Infrastructure Software, Cisco Unified Computing System (Standalone), and Cisco UCS E-Series Software. Requires administrative privileges and user interaction (clicking a crafted link), resulting in session hijacking, credential theft, or unauthorized access to sensitive browser-based information. No public exploit code identified at time of analysis.
Stored cross-site scripting (XSS) in Cisco IMC web management interface allows authenticated administrators to inject persistent malicious scripts that execute in other users' browsers via crafted links. Affects Cisco Enterprise NFV Infrastructure Software, Unified Computing System (standalone), and UCS E-Series. No public exploit code or active exploitation confirmed; patch availability not independently verified from provided data.
Stored XSS in Cisco IMC web management interface allows authenticated administrators to inject arbitrary script code via insufficient input validation. Attackers with admin privileges can craft malicious links that execute JavaScript in the browsers of other users accessing the interface, potentially compromising session security, stealing credentials, or accessing sensitive information. No public exploit code or active exploitation has been confirmed; the vulnerability requires administrator privileges and user interaction to trigger.
Stored cross-site scripting (XSS) in Cisco IMC web management interface allows authenticated administrators to inject malicious script code that executes in the browsers of other users accessing the interface. An attacker with administrative credentials can exploit insufficient input validation by crafting a malicious link and tricking a user into clicking it, enabling arbitrary script execution or theft of sensitive browser-based information. No public exploit code or active exploitation has been identified at time of analysis.
Remote code execution in Cisco Smart Software Manager On-Prem allows unauthenticated attackers to execute arbitrary commands with root privileges via an exposed internal service API. The vulnerability stems from unintentional exposure of an internal service that accepts crafted API requests, enabling full system compromise. With a CVSS score of 9.8 and complete attack vector accessibility over the network requiring no authentication or user interaction, this represents a critical security exposure for organizations using SSM On-Prem for Cisco software license management, though no public exploit identified at time of analysis.
Cisco Nexus Dashboard Insights metadata update feature allows authenticated administrators to write arbitrary files to the system with root privileges through path traversal in insufficiently validated metadata files. An attacker with valid administrative credentials can craft and manually upload a malicious metadata file to achieve arbitrary file write access to the underlying operating system. This vulnerability affects Cisco Nexus Dashboard and Nexus Dashboard Insights deployments, particularly those using manual metadata uploads in air-gap environments. CVSS score of 4.9 reflects the requirement for high-privilege authentication, though the integrity impact is rated as high given the ability to write files as root.
Privilege escalation in Cisco Smart Software Manager On-Prem (SSM On-Prem) web interface allows authenticated remote attackers with System User role to gain administrative access by intercepting session credentials from status messages. CVSS 7.3 (High severity) with network attack vector, low complexity, and requires low privileges plus user interaction. No public exploit code or active exploitation confirmed at time of analysis (EPSS data not provided).
Improper authorization in Cisco EPNM's REST API allows authenticated low-privilege attackers to access active user session data, including administrative credentials, enabling full device compromise. The vulnerability (CWE-862: Missing Authorization) affects the web management interface with CVSS 8.0 severity. Authentication is required (PR:L) but exploitation complexity is low once authenticated. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026-dated CVE identifier.
Command injection in Cisco IMC web management interface allows authenticated admin-level attackers to execute arbitrary commands as root through improper input validation. Affects Cisco Enterprise NFV Infrastructure Software, Unified Computing System (standalone), and UCS E-Series platforms. No public exploit code or active exploitation confirmed at time of analysis, but the high-privileged context and root-level impact necessitate swift patching.
Cisco IMC web-based management interface allows authenticated administrators to execute arbitrary code as root through improper input validation in HTTP requests. The vulnerability affects Cisco Unified Computing System (standalone) and requires admin-level credentials and network access; successful exploitation grants attacker root-level code execution on the underlying operating system. No public exploit code or active exploitation has been identified at time of analysis.
Command injection in Cisco Integrated Management Controller (IMC) web interface allows authenticated attackers with read-only privileges to execute arbitrary commands as root. The CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N) confirms network-accessible exploitation requiring only low-privilege authentication, with no public exploit identified at time of analysis. EPSS data not provided; CVE-2026 prefix suggests future disclosure.
Command injection in Cisco IMC web-based management interface allows authenticated remote attackers with admin-level privileges to execute arbitrary commands as root. The vulnerability stems from improper input validation in the web interface, enabling attackers to inject crafted commands that execute on the underlying operating system with elevated privileges. While the CVSS score is 6.5 (Medium), Cisco assigned a High Security Impact Rating due to the root-level code execution capability and potential for post-compromise lateral movement or system takeover.
Authentication bypass in Cisco Integrated Management Controller (IMC) allows unauthenticated remote attackers to gain administrative access by exploiting improper password change request handling. Affected products include Cisco Enterprise NFV Infrastructure Software, Unified Computing System (Standalone), and UCS E-Series Software. The attacker can alter any user's password, including Admin accounts, and take full control of the management interface. CVSS 9.8 (Critical) with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, though EPSS data not available for comprehensive risk assessment.
Reflected XSS in Cisco IMC web management interface allows unauthenticated remote attackers to execute arbitrary JavaScript in user browsers via crafted links. Affects Cisco Enterprise NFV Infrastructure Software, Cisco Unified Computing System (standalone), and UCS E-Series Software. Exploitation requires user interaction (clicking a malicious link) but could lead to session hijacking, credential theft, or malware delivery to privileged administrators managing critical infrastructure.
Server-side request forgery in Cisco Nexus Dashboard and Nexus Dashboard Insights allows unauthenticated remote attackers to conduct SSRF attacks by tricking authenticated users into clicking malicious links, enabling arbitrary network requests from the affected device and potential execution of arbitrary script code or access to sensitive browser data. CVSS 6.1 with no public exploit or active exploitation confirmed at time of analysis.
Cisco Nexus Dashboard configuration backup feature allows authenticated administrators to extract sensitive authentication credentials from encrypted backup files, enabling subsequent unauthorized access to internal APIs and arbitrary root-level command execution on the underlying operating system. The vulnerability requires possession of both a valid backup file and its encryption password, limiting exploitation to administrators or attackers with backup file access. CVSS 6.5 reflects the high-privilege requirement (PR:H) despite high confidentiality and integrity impact; no public exploit or active exploitation has been identified.
Cisco Catalyst SD-WAN Manager's web interface contains a reflected cross-site scripting (XSS) vulnerability that requires user interaction and authentication to exploit. An attacker can craft a malicious link to execute arbitrary JavaScript in a victim's browser session, potentially stealing sensitive information or performing unauthorized actions within the management interface. No patch is currently available.
A stored cross-site scripting (XSS) vulnerability exists in the web-based Cisco IOx application hosting environment management interface within Cisco IOS XE Software, allowing authenticated remote attackers with administrative credentials to inject malicious scripts that execute in the context of other users' browser sessions. Successful exploitation enables arbitrary script execution and access to sensitive browser-based information affecting a wide range of Cisco IOS XE versions from 16.6.1 through 17.18.1a. This vulnerability requires valid administrative credentials and user interaction but poses a significant risk in multi-administrator environments where privilege escalation or lateral movement could occur.