20
CVEs
2
Critical
6
High
1
KEV
2
PoC
8
Unpatched C/H
0.0%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
2
HIGH
6
MEDIUM
12
LOW
0
Monthly CVE Trend
Affected Products (30)
Ios Xe
31
Identity Services Engine
16
Ios Xr
13
Unified Contact Center Express
11
Catalyst Sd Wan Manager
9
Evolved Programmable Network Manager
8
Prime Infrastructure
8
Secure Firewall Management Center
7
Webex Meetings
6
Nexus Dashboard
5
Firepower Threat Defense
5
Catalyst Center
5
Adaptive Security Appliance Software
5
Java
5
Jwt Attack
5
Crosswork Network Controller
4
Asyncos
4
Application Policy Infrastructure Controller
4
Open Redirect
4
Unified Communications Manager
4
Desk Phone 9851 Firmware
3
Desk Phone 9871 Firmware
3
Cisco Catalyst Sd Wan Manager
3
Common Services Platform Collector
3
SSH
3
Desk Phone 9841 Firmware
3
Unified Intelligence Center
3
TLS
3
Desk Phone 9861 Firmware
3
Video Phone 8875 Firmware
3
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-20182 | Remote unauthenticated attackers can bypass peering authentication in Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) to obtain administrative privileges and manipulate network configurations across the entire SD-WAN fabric. This critical authentication bypass (CVSS 10.0) allows direct NETCONF access as a high-privileged internal user without any credentials. Cisco released fixes in May 2026 following discovery of this second authentication flaw after a February 2026 disclosure of a related vulnerability. No active exploitation confirmed in CISA KEV at time of analysis, though the maximum CVSS score and authentication bypass nature make this a priority patching target for SD-WAN deployments. | CRITICAL | 10.0 | 1.6% | 127 |
KEV
PoC
No patch
|
| CVE-2026-20223 | Authentication bypass in Cisco Secure Workload allows unauthenticated remote attackers to invoke internal REST API endpoints and act with Site Admin privileges across tenant boundaries. The flaw carries a maximum CVSS 10.0 score with a changed scope and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation enables reading sensitive tenant data and modifying configuration globally, making this a critical-priority issue for any organization running affected versions. | CRITICAL | 10.0 | 0.0% | 50 |
No patch
|
| CVE-2026-20034 | Remote code execution in Cisco Unity Connection allows authenticated remote attackers with low-privilege credentials to execute arbitrary code as root via crafted API requests to the web management interface. Successful exploitation enables complete device compromise. CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid user credentials (PR:L). No public exploit code or active exploitation confirmed at time of analysis. EPSS data not available in provided intelligence. | HIGH | 8.8 | 0.4% | 44 |
No patch
|
| CVE-2026-20224 | Remote file disclosure in Cisco Catalyst SD-WAN Manager allows unauthenticated attackers to read arbitrary system files via XML External Entity (XXE) injection in the web UI. The vulnerability affects the management interface with network-accessible attack vector, low complexity, and no required privileges (CVSS 8.6). Attackers can extract sensitive configuration files, credentials, and operational data from the SD-WAN management platform. EPSS data not provided; exploitation status unknown but the unauthenticated remote vector and publicly disclosed Cisco advisory elevate real-world risk for internet-exposed instances. | HIGH | 8.6 | 0.0% | 43 |
No patch
|
| CVE-2026-20185 | Cisco SG350 and SG350X managed switches can be remotely crashed via crafted SNMP requests, forcing unexpected device reloads. Authenticated attackers with valid SNMP credentials (read-only or read-write community strings for SNMPv1/v2c, or user credentials for SNMPv3) can trigger a heap-based buffer overflow in SNMP response parsing. Cisco confirmed this vulnerability affects all three SNMP versions (v1, v2c, v3) and published advisory cisco-sa-sg350-snmp-dos-GEFZr2Tj. EPSS and KEV status not provided in available data; exploitation requires network access with low complexity but does require valid SNMP authentication. | HIGH | 7.7 | 0.2% | 38 |
No patch
|
| CVE-2026-20167 | Cisco IoT Field Network Director enables authenticated remote attackers with low-level privileges to crash remotely managed routers by submitting crafted requests through the web-based management interface. The vulnerability causes improper error handling that allows requesting unauthorized files from managed routers, forcing them to reload and creating a denial-of-service condition (CVSS 7.7, Changed Scope). No public exploit or active exploitation reported at time of analysis. | HIGH | 7.7 | 0.1% | 38 |
No patch
|
| CVE-2026-20188 | Denial of service in Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) allows remote unauthenticated attackers to exhaust connection resources by flooding the system with connection requests, forcing a manual reboot to restore service. CVSS 7.5 (High) with network vector and no authentication required. No public exploit code identified at time of analysis, and EPSS data not available. The vulnerability stems from inadequate rate-limiting on incoming connections (CWE-400), affecting critical network orchestration infrastructure used for automation and service provisioning. | HIGH | 7.5 | 0.1% | 38 |
PoC
No patch
|
| CVE-2026-20035 | Server-Side Request Forgery (SSRF) in Cisco Unity Connection Web Inbox allows remote unauthenticated attackers to send arbitrary network requests sourced from the vulnerable server. The vulnerability affects the web UI component and requires no authentication, privileges, or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), enabling attackers to abuse the server's network position for internal network reconnaissance, service enumeration, or attacks against backend systems. The changed scope (S:C) indicates impact extends beyond the vulnerable component to other network resources accessible from the Unity Connection server. | HIGH | 7.2 | 0.0% | 36 |
No patch
|
| CVE-2026-20171 | BGP session flapping denial-of-service in Cisco NX-OS on Nexus 3000 and 9000 Series Switches exposes data-center routing infrastructure to disruption from unauthenticated remote attackers. The flaw resides in the enforce-first-as BGP feature, where incorrect parsing of a transitive BGP attribute causes an affected switch to drop its BGP peer session and enter a flap loop upon receiving a crafted BGP UPDATE message. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis, though the Changed scope in the CVSS vector reflects that the instability can propagate beyond the directly attacked peer, amplifying network-wide impact. | MEDIUM | 6.8 | 0.0% | 34 |
No patch
|
| CVE-2026-20168 | Authenticated remote attackers with low privileges can read arbitrary files via insufficient access controls in the web-based management interface of Cisco IoT Field Network Director. Exploitation requires valid login credentials and submission of crafted input through the management UI; successful attacks result in unauthorized file disclosure but do not enable modification or system disruption. No public exploit code or active exploitation has been identified at time of analysis. | MEDIUM | 6.5 | 0.0% | 32 |
No patch
|
| CVE-2026-20169 | Cisco IoT Field Network Director's web-based management interface allows authenticated remote attackers with low privileges to execute arbitrary commands and access files on managed routers via insufficient input validation in the web interface. The vulnerability enables file creation, deletion, read operations, and execution of limited commands in user EXEC mode on remote routers. CVSS 6.4 (medium severity); no active exploitation or public POC identified at time of analysis. | MEDIUM | 6.4 | 0.1% | 32 |
No patch
|
| CVE-2026-20206 | Command injection in the BrowserBot component of Cisco ThousandEyes Enterprise Agent (CWE-78) allows authenticated SaaS users with transaction test management privileges to execute arbitrary OS commands inside the BrowserBot container as the unprivileged 'node' user. Exploitation requires valid ThousandEyes SaaS credentials and the ability to manage transaction tests, scoping the realistic threat primarily to insiders and compromised privileged accounts. Cisco has already deployed a remediation server-side; no customer action is required. No public exploit code or CISA KEV listing exists at time of analysis. | MEDIUM | 6.3 | 0.1% | 32 |
No patch
|
| CVE-2026-20219 | Insecure direct object reference (IDOR) in Cisco Slido REST API allows authenticated remote attackers to view other users' social profile data and manipulate quiz or poll results. The vulnerability requires valid authentication but no user interaction, affecting confidentiality and integrity of user data and poll integrity. Cisco has released a patched version; no public exploit code or active exploitation has been identified at the time of analysis. | MEDIUM | 5.4 | 0.0% | 27 |
No patch
|
| CVE-2026-20209 | Privilege escalation in Cisco Catalyst SD-WAN Manager allows authenticated users with read-only permissions to elevate privileges to high-privileged user level through exposure of sensitive session information in audit logs. An attacker with initial read-only access can extract high-privilege session credentials from audit logs and impersonate an administrator, bypassing intended access controls. CVSS score 5.4 (medium) reflects the requirement for initial authentication, though the ease of escalation (AC:L) and direct path to administrative capability represent significant risk in multi-tenant or shared SD-WAN deployments. | MEDIUM | 5.4 | 0.0% | 27 |
No patch
|
| CVE-2026-20210 | Cisco Catalyst SD-WAN Manager web UI fails to properly redact sensitive information in device configurations and templates, allowing authenticated users with read-only permissions to extract and leverage privileged credentials to escalate their access and modify system configurations. The vulnerability affects all versions of the product and requires only network access and valid (albeit minimal) read-only credentials; successful exploitation grants attackers high-privileged administrative capability over the SD-WAN fabric. | MEDIUM | 5.4 | 0.0% | 27 |
No patch
|