CISCO says it has patched multiple high-severity flaws across its enterprise product line, addressing five high-severity bugs in total. Two high-severity issues, CVE-2026-20034 and CVE-2026-20035, could enable server-side request forgery in Cisco Unity Connection when exploited by a remote, authenticated attacker to run arbitrary code as root or to issue network requests from the affected device, according to Cisco.
A separate high-severity defect, CVE-2026-20185, in the SNMP subsystem of SG350 and SG350X switches could be abused to cause a denial-of-service condition, with Cisco detailing the specific SNMP parsing weaknesses and credential requirements for exploitation. The fifth high-severity vulnerability, CVE-2026-20167, was addressed in the web interface of IoT Field Network Director, where improper error handling could allow crafted input to reload the router and trigger a DoS.
According to Cisco, CNC and NSO were also found vulnerable to a high-severity DoS (CVE-2026-20188), caused by insufficient rate-limiting on incoming connections, while seven medium-severity flaws were fixed in IoT Field Network Director, Slido, Prime Infrastructure, ISE, and ECE. Cisco says it is not aware of any of these vulnerabilities being exploited in the wild.