Cisco IOS XR CLI Privilege Escalation Vulnerabilities Enabling Root Command Execution
Cisco released fixes for two high-severity privilege-escalation vulnerabilities in Cisco IOS XR Software that could allow an authenticated, local, low-privileged user to elevate privileges and either execute arbitrary commands as root or obtain full administrative control of affected routing devices. The issues were identified during Cisco internal testing and are described as independent flaws (exploitation of one is not required to exploit the other); Cisco provided software updates to remediate affected versions.
One flaw, CVE-2026-20040, is caused by insufficient validation of user-supplied arguments to certain CLI commands, enabling crafted input to result in root-level command execution. The second, CVE-2026-20046, stems from incorrect mapping of a CLI command to task groups, allowing bypass of task-group authorization checks and granting administrative control; it specifically impacts IOS XRv 9000. Canada’s Centre for Cyber Security highlighted Cisco’s broader advisory set (AV26-223), which includes these IOS XR CLI privilege escalation vulnerabilities alongside other IOS XR denial-of-service issues and web vulnerabilities in Cisco contact center products, and urged organizations to apply vendor updates as they become available.
Timeline
Mar 11, 2026
Canadian Centre for Cyber Security urges users to apply Cisco mitigations
Following Cisco's advisory release, the Canadian Centre for Cyber Security published alert AV26-223 advising administrators to review Cisco's notices, follow recommended mitigations, and apply updates when available. The alert highlighted affected Cisco IOS XR, NCS 5700, and contact center products.
Mar 11, 2026
Cisco discloses IOS XR privilege-escalation flaws and releases fixes
Cisco disclosed CVE-2026-20040 and CVE-2026-20046 in Cisco IOS XR Software, describing how an authenticated local attacker could gain root command execution or full administrative control on affected devices. Cisco released software updates and some SMUs, said no workaround exists for CVE-2026-20040, and reported no known public exploitation or in-the-wild abuse at disclosure time.
Mar 11, 2026
Cisco publishes multiple security advisories across product lines
On 2026-03-11, Cisco released multiple advisories covering vulnerabilities in Cisco NCS 5700 hardware platforms, Cisco IOS XR Software, and several Cisco contact center products. The issues included denial-of-service flaws, CLI privilege-escalation vulnerabilities, and cross-site scripting weaknesses.
Apr 15, 2021
Cisco patches IOS XRv command injection flaw CVE-2021-1485
Cisco released a vendor patch for CVE-2021-1485, a command injection vulnerability in Cisco IOS XRv 64-bit that allowed an authenticated CLI user to inject arbitrary commands via improperly quoted router CLI commands. The issue affected commands such as dir, mkdir, more, and delete, and could lead to root-level compromise of the underlying operating system.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Cisco IOS XE Flaws Enable Remote Code Execution and Device Takeover
Multiple vulnerabilities in **Cisco IOS** and **Cisco IOS XE** devices have exposed routers, switches, access points, and Catalyst 9000 platforms to severe compromise, including **remote code execution**, **denial of service**, **access control bypass**, **privilege escalation**, **secure boot bypass**, **cross-site scripting**, and memory corruption. Traficom highlighted newly disclosed flaws such as `CVE-2025-20334` and `CVE-2025-20363`, which may allow arbitrary code execution, and urged organizations to update affected products in line with Cisco’s version-specific advisories. The warning follows earlier real-world attacks against internet-exposed Cisco IOS XE Web GUI instances, where attackers exploited `CVE-2023-20198` and `CVE-2023-20273` to create unauthorized administrator accounts, install a backdoor implant, and seize full control of devices. Cisco Talos reported the campaign affected exposed systems internationally, with tens of thousands of vulnerable devices identified online, while Finnish authorities said some domestic devices had already been backdoored and advised restricting Web GUI access to trusted networks or removing public internet exposure entirely.
1 weeks ago
Cisco Patches Critical Firewall Management RCE Vulnerabilities
Cisco released emergency fixes for two **critical (CVSS 10.0)** vulnerabilities in its firewall management software that could allow **remote, unauthenticated attackers** to execute code and gain **root-level** access to the underlying operating system. The issues are tracked as `CVE-2026-20079` and `CVE-2026-20131`, and reporting emphasized the risk profile given Cisco’s widespread deployment in large enterprises and the historical interest of sophisticated actors in rapidly weaponizing Cisco bugs. Available reporting stated there were **no confirmed in-the-wild exploitation** reports at the time of publication, but urged rapid patching due to the combination of unauthenticated reachability and full compromise potential. Separate coverage packaged the Cisco flaws alongside other weekly security items (e.g., Tycoon2FA infrastructure takedown and other incidents), but the Cisco item consistently described the same two maximum-severity firewall management vulnerabilities and their impact (RCE leading to root access).
1 months ago
Cisco ISE Flaws Enable Authenticated Remote Code Execution and Root Escalation
Cisco disclosed two high-severity vulnerabilities in **Cisco Identity Services Engine (ISE)**, tracked as `CVE-2026-20180` and `CVE-2026-20186`, that allow an authenticated attacker to execute arbitrary commands on the underlying operating system by sending crafted HTTP requests. Both issues require at least **Read Only Admin** credentials and stem from insufficient validation of user-supplied input; Cisco mapped the flaws to **`CWE-22`** and **`CWE-77`** respectively. Cisco assigned both vulnerabilities the same **CVSS v3.1** score vector: `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`. Successful exploitation can provide user-level operating system access and may allow attackers to escalate privileges to **root**. Cisco warned that in **single-node ISE deployments**, exploitation could also make the affected node unavailable, creating a denial-of-service condition that prevents unauthenticated endpoints from accessing the network until the system is restored.
2 weeks ago