CISCO on Wednesday announced patches for a dozen high- and medium-severity vulnerabilities in IOS and IOS XE, most of which could be exploited to cause denial-of-service conditions. The publicly disclosed issues, tracked as CVE-2026-20110, CVE-2026-20112, CVE-2026-20113, and CVE-2026-20114, affect Cisco Catalyst 9300 Series switches, and attackers could chain CVE-2026-20114 and CVE-2026-20110 to escalate privileges and trigger a persistent DoS that may require manual intervention to resolve.
According to OPSWAT, which discovered and reported the defects, the chain could enable a Lobby Ambassador to create a new user with privilege level 1 access to the Lobby Ambassador web-based management API and access the device, while the start maintenance command flaw could place a device into maintenance mode, potentially enabling a persistent DoS when combined with privilege escalation.
Additional two defects could be exploited for XSS and CRLF log injection, respectively, and six high-severity fixes, five of which could lead to DoS, were applied alongside a vulnerability that could enable secure boot bypass. Further information is available in Cisco’s security advisories, and the updates were rolled out as part of the IOS and IOS XE bundle.