Cisco IOS XR CLI Privilege Escalation Vulnerabilities Enabling Root Command Execution
Cisco released fixes for two high-severity privilege-escalation vulnerabilities in Cisco IOS XR Software that could allow an authenticated, local, low-privileged user to elevate privileges and either execute arbitrary commands as root or obtain full administrative control of affected routing devices. The issues were identified during Cisco internal testing and are described as independent flaws (exploitation of one is not required to exploit the other); Cisco provided software updates to remediate affected versions.
One flaw, CVE-2026-20040, is caused by insufficient validation of user-supplied arguments to certain CLI commands, enabling crafted input to result in root-level command execution. The second, CVE-2026-20046, stems from incorrect mapping of a CLI command to task groups, allowing bypass of task-group authorization checks and granting administrative control; it specifically impacts IOS XRv 9000. Canada’s Centre for Cyber Security highlighted Cisco’s broader advisory set (AV26-223), which includes these IOS XR CLI privilege escalation vulnerabilities alongside other IOS XR denial-of-service issues and web vulnerabilities in Cisco contact center products, and urged organizations to apply vendor updates as they become available.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security urges users to apply Cisco mitigations
Following Cisco's advisory release, the Canadian Centre for Cyber Security published alert AV26-223 advising administrators to review Cisco's notices, follow recommended mitigations, and apply updates when available. The alert highlighted affected Cisco IOS XR, NCS 5700, and contact center products.
Cisco discloses IOS XR privilege-escalation flaws and releases fixes
Cisco disclosed CVE-2026-20040 and CVE-2026-20046 in Cisco IOS XR Software, describing how an authenticated local attacker could gain root command execution or full administrative control on affected devices. Cisco released software updates and some SMUs, said no workaround exists for CVE-2026-20040, and reported no known public exploitation or in-the-wild abuse at disclosure time.
Cisco publishes multiple security advisories across product lines
On 2026-03-11, Cisco released multiple advisories covering vulnerabilities in Cisco NCS 5700 hardware platforms, Cisco IOS XR Software, and several Cisco contact center products. The issues included denial-of-service flaws, CLI privilege-escalation vulnerabilities, and cross-site scripting weaknesses.
Cisco patches IOS XRv command injection flaw CVE-2021-1485
Cisco released a vendor patch for CVE-2021-1485, a command injection vulnerability in Cisco IOS XRv 64-bit that allowed an authenticated CLI user to inject arbitrary commands via improperly quoted router CLI commands. The issue affected commands such as dir, mkdir, more, and delete, and could lead to root-level compromise of the underlying operating system.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Cisco IOS XR Software Vulnerability Allow Attacker to Execute Commands as Root
cybersecuritynews.com
Open sourceCisco security advisory (AV26-223) - Canadian Centre for Cyber Security
cyber.gc.ca
Open source(CVE-2021-1485) Cisco IOS XR CLI Arbitrary Command Injection | STAR Labs
starlabs.sg
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco IOS XE Flaws Enable Remote Code Execution and Device Takeover
Multiple vulnerabilities in **Cisco IOS** and **Cisco IOS XE** devices have exposed routers, switches, access points, and Catalyst 9000 platforms to severe compromise, including **remote code execution**, **denial of service**, **access control bypass**, **privilege escalation**, **secure boot bypass**, **cross-site scripting**, and memory corruption. Traficom highlighted newly disclosed flaws such as `CVE-2025-20334` and `CVE-2025-20363`, which may allow arbitrary code execution, and urged organizations to update affected products in line with Cisco’s version-specific advisories. The warning follows earlier real-world attacks against internet-exposed Cisco IOS XE Web GUI instances, where attackers exploited `CVE-2023-20198` and `CVE-2023-20273` to create unauthorized administrator accounts, install a backdoor implant, and seize full control of devices. Cisco Talos reported the campaign affected exposed systems internationally, with tens of thousands of vulnerable devices identified online, while Finnish authorities said some domestic devices had already been backdoored and advised restricting Web GUI access to trusted networks or removing public internet exposure entirely.
Apr 22, 2026
Critical Cisco Unified CM SSRF Could Lead to Root Privilege Escalation
Cisco disclosed **CVE-2026-20230**, a server-side request forgery vulnerability in **Cisco Unified Communications Manager (Unified CM)** and **Unified CM Session Management Edition (Unified CM SME)** that can be exploited remotely without authentication. The flaw stems from improper input validation in specific HTTP requests, and Cisco said successful exploitation could let an attacker write files to the underlying operating system and later escalate privileges to **root**. Cisco assigned the issue a **Critical** security impact rating even though the CVSS v3.1 profile is listed as High severity. The vulnerability affects **Release 14** versions prior to **14SU6** and **Release 15** versions prior to **15SU5** or the relevant **COP** update. Cisco noted that exploitation requires the **WebDialer** service to be enabled, and that service is disabled by default, but Canadian authorities warned that **proof-of-concept exploit code is available** and urged organizations to review Cisco’s advisory and apply updates promptly.
Jun 5, 2026
Cisco SD-WAN Manager Command Injection Exploited for Root-Level Device Changes
Cisco disclosed a critical command injection flaw in **Cisco Catalyst SD-WAN Manager** (`CVE-2026-20245`) that is being actively exploited in the wild, allowing an authenticated local attacker with `netadmin` privileges to execute arbitrary commands as `root`. The vulnerability is caused by insufficient validation of file-transfer payloads in the CLI, and Cisco said observed exploitation has already resulted in unauthorized configuration changes being pushed from the manager to edge devices, raising the risk of broader network compromise in affected SD-WAN environments. Cisco also warned the issue could be chained with the previously disclosed authenticated privilege-escalation bug `CVE-2026-20182` to obtain the required access level before triggering command execution. At the time of disclosure, no standard software fix was available; administrators were advised to review logs, inspect `scripts.log` for suspicious activity, and work with Cisco Technical Assistance Center for mitigations and workarounds while assessing whether managed edge infrastructure had been altered.
Jun 5, 2026