SB20260325180 - Multiple vulnerabilities in Cisco IOS XE
Published: March 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Incorrect Privilege Assignment (CVE-ID: CVE-2026-20110)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in the CLI when handling the start maintenance command. A local user can send a specially crafted command to cause a denial of service.
Exploitation requires authentication with low-privileged user credentials and local access to the device CLI.
2) Cleartext Transmission of Sensitive Information (CVE-ID: CVE-2026-20115)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper use of a secure channel in the device configuration upload process when handling communication with the Cisco Meraki Dashboard. A remote attacker can conduct an on-path attack to disclose sensitive device configuration information.
Exploitation requires user interaction in the form of an on-path position between the affected device and the Cisco Meraki Dashboard.
3) Improper Validation of Syntactic Correctness of Input (CVE-ID: CVE-2026-20114)
The vulnerability allows a remote user to escalate privileges and access management APIs that would not normally be available for Lobby Ambassador users.
The vulnerability exists due to improper validation of parameters in the Lobby Ambassador web-based management API when handling HTTP requests. A remote user can send a specially crafted HTTP request after authenticating as a Lobby Ambassador user to escalate privileges and create a new user with privilege level 1 access to the web-based management API.
Successful exploitation allows the attacker to access device management APIs with elevated privileges.
4) Improper Handling of Syntactically Invalid Structure (CVE-ID: CVE-2026-20125)
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper validation of user-supplied input in the HTTP Server feature when handling HTTP requests. A remote user can send malformed HTTP requests to an affected device to cause a watchdog timer to expire and the device to reload, resulting in a denial of service.
To exploit this vulnerability, the attacker must have a valid user account.
5) Resource exhaustion (CVE-ID: CVE-2026-20084)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of BOOTP packets in the DHCP snooping feature when processing BOOTP requests. A remote attacker can send a specially crafted BOOTP request packet to forward BOOTP packets between VLANs, resulting in high CPU utilization and a denial of service condition.
The affected device becomes unreachable through console or remote management and is unable to forward traffic. This vulnerability can be exploited with either unicast or broadcast BOOTP packets and requires specific configuration conditions: IP DHCP snooping enabled, ip helper-address configured on an SVI, the next hop being a sub-interface, and one of the sub-interfaces having the native VLAN configured.
6) Missing Reference to Active Allocated Resource (CVE-ID: CVE-2026-20004)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper management of memory resources in the TLS library when handling TLS connection setup. A remote attacker can send a specially crafted sequence of TLS connection requests to cause a denial of service.
Exploitation can be achieved by repeatedly triggering memory allocation during TLS handshake procedures, such as through repeated EAP authentication attempts when local EAP is enabled or via machine-in-the-middle connection resets. The affected device must be configured with TLS-dependent features such as Local EAP, RadSec, SANet, or Telemetry, which are not enabled by default.
7) Improper Handling of Missing Values (CVE-ID: CVE-2026-20086)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper handling of a malformed CAPWAP packet in the processing of CAPWAP packets when handling packets. A remote attacker can send a specially crafted request to cause a denial of service.
The affected device may reload unexpectedly, resulting in a denial of service condition.
8) Buffer underflow (CVE-ID: CVE-2026-20104)
The vulnerability allows an attacker with physical access to execute arbitrary code at boot time and break the chain of trust.
The vulnerability exists due to insufficient validation of software at boot time in the bootloader when manipulating loaded binaries. An attacker with physical access can modify the device's binaries to bypass integrity checks during boot and execute unsigned code, breaking the chain of trust.
Successful exploitation allows execution of arbitrary code that bypasses the requirement to run Cisco-signed images.
9) Improper Handling of Extra Parameters (CVE-ID: CVE-2026-20083)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of a malformed SCP request in the Secure Copy Protocol (SCP) server feature when processing SCP commands over SSH. A local user can send a specially crafted SCP command to cause the device to reload unexpectedly, resulting in a denial of service.
Successful exploitation requires the attacker to be authenticated with low privileges and the SCP server feature to be enabled on the device.
Remediation
Install update from vendor's website.
References
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-mntc-dos-LZweQcyq
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwq22014
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe_infodis-6J847uEB
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp83554
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-lobby-privesc-KwxBqJy
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwq16757
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-http-dos-sbv8XRpL
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwq14981
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bootp-WuBhNBxA
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwq07617
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-tls-dos-TVgLDEZL
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwk59707
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwm80596
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-dos-hnX5KGOm
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp13209
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xe-secureboot-bypass-B6uYxYSZ
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwr77016
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-scp-dos-duAdXtCg
- https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwr59895