Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreidzyncfjzug2yd4dvw5aio6klurrvkfbskawjysds7r6uxmfhr35e",
    "uri": "at://did:plc:qzjwstutqk2cy7df7jbzd2hx/app.bsky.feed.post/3mhxw4tm64iu2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreigso2jddzagb2u3cnbw3myqjtfpr7snedqhn36zoy3bbjmkd5pkgq"
    },
    "mimeType": "image/jpeg",
    "size": 7783387
  },
  "path": "/article/4150169/chained-vulnerabilities-in-cisco-catalyst-switches-could-induce-denial-of-service.html",
  "publishedAt": "2026-03-25T18:24:10.000Z",
  "site": "https://www.networkworld.com",
  "tags": [
    "Network Security, Network Switches, Networking, Networking Devices, Security, Vulnerabilities",
    "CVE-2026-20114",
    "CVE-2026-20110",
    "Catalyst 9300 switches",
    "CVE-2026-20112",
    "CVE-2026-20113",
    "vulnerability analysis",
    "Loc Nguyen",
    "Cisco’s Software Checker"
  ],
  "textContent": "Cisco’s widely deployed Catalyst 9300 Series enterprise switches have four security vulnerabilities, two of which could be chained to cause a denial-of-service outage, infrastructure security company Opswat has revealed.\n\nThe two most operationally significant are CVE-2026-20114 and CVE-2026-20110, which the researchers found could be chained to make possible a dangerous privilege escalation. Opswat’s Unit 515 Critical Infrastructure Protection (CIP) Lab discovered them and reported them to Cisco last July.\n\nThe first weakness was in the Catalyst WebUI Lobby Ambassador account, which exists to allow non-technical staff with no admin privileges to administer guest Wi-Fi access.\n\nThis turned out to have a command injection vulnerability (CVE-2026-20114) which allowed the researchers to create a MAC-based account with a slightly higher privilege level.\n\nWith this access, they then discovered a second and more serious vulnerability caused by insufficient sanitization (CVE-2026-20110) which allowed them to reach a high enough privilege level to put Catalyst 9300 switches into ‘maintenance mode,’ at which point they would stop passing traffic.\n\n“This vulnerability chain allows a low privileged user to escalate their capabilities and ultimately trigger a full denial of service condition on the Cisco device,” Opswat said in a proof-of-concept video.\n\nOpswat also discovered two other Catalyst 9300 vulnerabilities: CVE-2026-20112 (cross-site scripting) and CVE-2026-20113 (CRLF injection). These relate to the IOS XE IOx integration environment which enables cloud edge computing features on Catalyst switches.\n\nThe first of these, CVE-2026-20112, could be exploited by an “authenticated user [who] could store malicious JavaScript payloads that would later execute in the context of another user’s session,” said Opswat in its full vulnerability analysis.\n\nThe second, CVE-2026-20113, would allow an attacker to cover their tracks for any exploit on IOS XE IOx: “By injecting crafted control characters, an attacker can forge or manipulate log entries, potentially obscuring malicious activity and compromising the integrity of audit records,” said Opswat, adding that this weakens the reliability of logging mechanisms critical for monitoring, incident response, and forensic analysis.\n\n## Patching priority\n\nTo make headway, an attacker would need to chain the first two vulnerabilities, CVE-2026-20114 and CVE-2026-20110, the first of which would require authentication using stolen credentials.\n\nThis slightly raises the bar to any compromise, although stealing credentials for low-privilege user accounts is not a major barrier for an attacker.\n\nHowever, the fact that an attacker can elevate privileges from a basic Lobby Ambassador account to put a switch into a denial-of-service state underlines the risk this vulnerability poses. A short-term mitigation for this would be to make sure MFA security is turned on for all user accounts accessing the Lobby Ambassador feature.\n\nAccording to Opswat, it took from last July until this month to patch the flaws because of Cisco’s twice-yearly patching cycle.\n\n“Since we reported these issues in August 2025, there was not enough time for Cisco to complete the investigation, remediation, and advisory process in time for the September cycle. As a result, publication moved to the next advisory window in March 2026,” pen testing team leader Loc Nguyen said. “To the best of our knowledge, there is no evidence that these vulnerabilities were exploited by third parties,” he added.\n\n## Vulnerable products and fixes\n\nCisco has addressed all four CVEs in its March 25 semiannual Cisco IOS and IOS XE Software Security Advisory. Although none of the individual CVSS scores are high (ranging from 4.8 for CVE-2026-20112 to 6.5 for CVE-2026-20110) the danger is amplified by the way the first two can be chained.\n\nCisco’s Software Checker tool can be used to determine whether a switch is vulnerable by entering the software/firmware version currently in use.\n\nNo workarounds are possible for CVE-2026-20114, CVE-2026-20112, or CVE-2026-20113. The highest-rated flaw, CVE-2026-20110, can be mitigated by setting the privilege level of the ‘start maintenance’ command manually from the command line interface, Cisco said.\n\nIn February, Cisco made public a different series of vulnerabilities affecting the Catalyst SD-WAN Manager, CVE-2026-20122, CVE-2026-20126, and CVE-2026-20128. These allowed an attacker to elevate themselves to root and were assigned a CVSS score of 9.8 (‘critical’) with no workarounds possible.\n\nThat same month Cisco also patched a vulnerability in its Catalyst SD-WAN Controller, CVE-2026-20127.",
  "title": "Chained vulnerabilities in Cisco Catalyst switches could induce denial-of-service"
}