Cisco’s widely deployed Catalyst 9300 Series enterprise switches have four security vulnerabilities, two of which could be chained to cause a denial-of-service outage, infrastructure security company Opswat has revealed.
The two most operationally significant are CVE-2026-20114 and CVE-2026-20110, which the researchers found could be chained to make possible a dangerous privilege escalation. Opswat’s Unit 515 Critical Infrastructure Protection (CIP) Lab discovered them and reported them to Cisco last July.
The first weakness was in the Catalyst WebUI Lobby Ambassador account, which exists to allow non-technical staff with no admin privileges to administer guest Wi-Fi access.
This turned out to have a command injection vulnerability (CVE-2026-20114) which allowed the researchers to create a MAC-based account with a slightly higher privilege level.
With this access, they then discovered a second and more serious vulnerability caused by insufficient sanitization (CVE-2026-20110) which allowed them to reach a high enough privilege level to put Catalyst 9300 switches into ‘maintenance mode,’ at which point they would stop passing traffic.
“This vulnerability chain allows a low privileged user to escalate their capabilities and ultimately trigger a full denial of service condition on the Cisco device,” Opswat said in a proof-of-concept video.
Opswat also discovered two other Catalyst 9300 vulnerabilities: CVE-2026-20112 (cross-site scripting) and CVE-2026-20113 (CRLF injection). These relate to the IOS XE IOx integration environment which enables cloud edge computing features on Catalyst switches.
The first of these, CVE-2026-20112, could be exploited by an “authenticated user [who] could store malicious JavaScript payloads that would later execute in the context of another user’s session,” said Opswat in its full vulnerability analysis.
The second, CVE-2026-20113, would allow an attacker to cover their tracks for any exploit on IOS XE IOx: “By injecting crafted control characters, an attacker can forge or manipulate log entries, potentially obscuring malicious activity and compromising the integrity of audit records,” said Opswat, adding that this weakens the reliability of logging mechanisms critical for monitoring, incident response, and forensic analysis.
Patching priority
To make headway, an attacker would need to chain the first two vulnerabilities, CVE-2026-20114 and CVE-2026-20110, the first of which would require authentication using stolen credentials.
This slightly raises the bar to any compromise, although stealing credentials for low-privilege user accounts is not a major barrier for an attacker.
However, the fact that an attacker can elevate privileges from a basic Lobby Ambassador account to put a switch into a denial-of-service state underlines the risk this vulnerability poses. A short-term mitigation for this would be to make sure MFA security is turned on for all user accounts accessing the Lobby Ambassador feature.
According to Opswat, it took from last July until this month to patch the flaws because of Cisco’s twice-yearly patching cycle.
“Since we reported these issues in August 2025, there was not enough time for Cisco to complete the investigation, remediation, and advisory process in time for the September cycle. As a result, publication moved to the next advisory window in March 2026,” pen testing team leader Loc Nguyen said. “To the best of our knowledge, there is no evidence that these vulnerabilities were exploited by third parties,” he added.
Vulnerable products and fixes
Cisco has addressed all four CVEs in its March 25 semiannual Cisco IOS and IOS XE Software Security Advisory. Although none of the individual CVSS scores are high (ranging from 4.8 for CVE-2026-20112 to 6.5 for CVE-2026-20110) the danger is amplified by the way the first two can be chained.
Cisco’s Software Checker tool can be used to determine whether a switch is vulnerable by entering the software/firmware version currently in use.
No workarounds are possible for CVE-2026-20114, CVE-2026-20112, or CVE-2026-20113. The highest-rated flaw, CVE-2026-20110, can be mitigated by setting the privilege level of the ‘start maintenance’ command manually from the command line interface, Cisco said.
In February, Cisco made public a different series of vulnerabilities affecting the Catalyst SD-WAN Manager, CVE-2026-20122, CVE-2026-20126, and CVE-2026-20128. These allowed an attacker to elevate themselves to root and were assigned a CVSS score of 9.8 (‘critical’) with no workarounds possible.
That same month Cisco also patched a vulnerability in its Catalyst SD-WAN Controller, CVE-2026-20127.
This article first appeared on Network World.
No Responses