Cisco May 2026: Critical RCE, SSRF & DoS Vulnerabilities Patched

Cisco released security advisories on May 6, 2026, addressing a broad range of vulnerabilities, including remote code execution, server-side request forgery, denial-of-service, path traversal, command injection, authentication bypass, information disclosure, and malicious file upload flaws across its enterprise product portfolio.

Security and network operations teams running Cisco Unity Connection, Enterprise Chat and Email, IoT Field Network Director, Identity Services Engine, Network Services Orchestrator, Crosswork Network Controller, SG350 switches, Prime Infrastructure, and Slido must treat this wave of disclosures as a priority patching event.

The most severe vulnerabilities in this advisory cycle affect Cisco Unity Connection, a widely deployed enterprise unified messaging and voicemail platform.

Cisco’s Product Security Incident Response Team (PSIRT) disclosed two independent high-severity flaws, CVE-2026-20034 and CVE-2026-20035, both published on May 6, 2026, at 16:00 GMT.

Critical RCE, SSRF & DoS Vulnerabilities Patched

CVE-2026-20034 (CVSS 8.8) is the most dangerous of the two. It is a remote code execution vulnerability stemming from insufficient validation of user-supplied input in the Unity Connection web-based management interface.

An authenticated attacker with valid user credentials can submit a crafted API request to execute arbitrary code as root on the underlying device, resulting in complete system compromise. The flaw is classified under CWE-35 and affects all Unity Connection deployments, regardless of configuration.

CVE-2026-20035 (CVSS 7.2) is a server-side request forgery (SSRF) vulnerability residing in the Unity Connection Web Inbox, a component enabled by default across all deployments.

An unauthenticated remote attacker can send a crafted HTTP request to force the affected device to issue arbitrary outbound network requests from its own IP address, a technique frequently leveraged for internal network reconnaissance or pivoting past perimeter controls.

This flaw is mapped to CWE-918. No workarounds exist for either vulnerability. Organizations running Unity Connection 12.5 and earlier must migrate to a supported release. Those on release 14.x should upgrade to 14SU5, while release 15.x users must deploy 15SU4 or apply the vendor-supplied patch file ciscocm.cuc.V15_CSCwq36774-CSCwq36834_C0277-1.zip.

A newly disclosed medium-severity vulnerability (CVE-2026-20172, CVSS 4.3) in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) exposes organizations using this customer engagement platform to browser-based attacks. Published under Advisory ID cisco-sa-ece-lite-agent-BCgSN8eb.

This flaw is classified as CWE-646 (Reliance on File Name or Extension of Externally-Supplied File). It stems from inadequate validation of file contents during uploads in the Lite Agent interface.

An authenticated attacker holding at least the Agent role can upload a file containing malicious scripts or embedded HTML code. Once uploaded, the application may serve this file to other users, causing the malicious payload to execute in the victim’s browser, a classic stored cross-site scripting-adjacent attack vector delivered through file upload.

A successful exploit could allow the attacker to hijack browser sessions, steal credentials, redirect users, or conduct further client-side attacks against internal users and customers interacting through the ECE platform. There are no workarounds available. Cisco ECE releases 12 and earlier are end-of-support and must be migrated to a supported release.

Users on release 15 should upgrade to version 15.0(1)ES202603, which contains the fix. The Lite Agent feature must also be confirmed as the attack surface, as the flaw only affects ECE instances where Lite Agent is enabled.

Advisory Cisco-Sa-Iot-Fnd-Dos-N8N26Q4u covers three distinct high-severity vulnerabilities in Cisco IoT Field Network Director (IoT FND), a centralized management solution for large-scale IoT router deployments. The collective CVSS score is 7.7, and all three flaws operate independently; exploiting one does not require exploiting the others.

CVE-2026-20167 (CVSS 7.7) is an improper error-handling flaw (CWE-388) that allows low-privileged, authenticated attackers to request unauthorized files from a remote router via the web management interface, triggering an unexpected reload and resulting in a sustained denial-of-service.

CVE-2026-20168 (CVSS 6.5) is a path traversal vulnerability (CWE-284) that enables authenticated users with low privileges to access files they are not authorized to access by submitting crafted input through the management UI.

CVE-2026-20169 (CVSS 6.4) is a command injection flaw (CWE-77) caused by insufficient input validation; a low-privilege attacker can create, read, or delete files, and run limited commands, in user EXEC mode on managed routers. All three vulnerabilities affect Cisco IoT FND regardless of device configuration.

IoT FND version 5.0.0-117 is the first fixed release; version 4 and earlier are past end-of-software-maintenance and must be migrated immediately.

Advisory Cisco-Sa-Nso-Dos-7Egqyc discloses a high-severity denial of service vulnerability (CVE-2026-20188, CVSS 7.5) affecting both Cisco Network Services Orchestrator (NSO) and Cisco Crosswork Network Controller (CNC).

The vulnerability arises from inadequate rate limiting on incoming network connections, classified under CWE-400 (Uncontrolled Resource Consumption).

An unauthenticated remote attacker can flood the system with connection requests, exhausting all available connection resources and rendering both Cisco CNC and NSO completely unresponsive to legitimate users and all dependent automated services.

Recovery requires a full manual system reboot, which is a significant operational disruption in production network automation environments. No workarounds are available. Cisco CNC 7.2 and Cisco NSO 6.5 are confirmed not vulnerable; NSO users should upgrade to 6.4.1.3 at minimum, while CNC 7.1 and earlier deployments must migrate to a fixed release.

Cisco SG350 and SG350X Series Managed Switches are affected by a heap-based buffer overflow (CWE-122) in the SNMP subsystem, disclosed as CVE-2026-20185 (CVSS 7.7) under Advisory ID cisco-sa-sg350-snmp-dos-GEFZr2Tj. Confirmed that no software fix will be released, as both product families have passed their End of Software Maintenance dates.

An authenticated attacker armed with valid SNMP credentials, either a community string for SNMPv1/v2c or valid user credentials for SNMPv3, can trigger an unexpected device reload via a crafted SNMP request, resulting in a denial of service condition.

The vulnerability exclusively impacts firmware versions 2.5.9.54 and 2.5.9.55 on units with two or more 60-watt PoE ports enabled, including SG350-28P, SG350-28MP, SG350-52P, SG350-52MP, and SG350X Series models.

As a mitigation, administrators should create an SNMP view excluding the affected OID rlPethPsePortTable and apply it to all configured community strings. We strongly advise organizations to plan a hardware migration to a currently supported Cisco switching platform as the only long-term resolution.

Cisco Identity Services Engine (ISE) is affected by two medium-severity vulnerabilities under Advisory cisco-sa-ise-unauth-bypass-uxjRXGpb. CVE-2026-20195 (CVSS 5.3) allows unauthenticated attackers to enumerate valid usernames by analyzing observable differences in error messages returned by an identity management API endpoint (CWE-204).

CVE-2026-20193 (CVSS 4.3) permits a read-only administrator to bypass RBAC controls on RADIUS Policy API endpoints and read sensitive configuration details restricted for their role (CWE-862). Fixed releases include ISE 3.3 Patch 11, 3.4 Patch 6, and 3.5 Patch 3.

ISE 3.6 is confirmed not vulnerable. Cisco Prime Infrastructure carries CVE-2026-20189 (CVSS 4.3), an information disclosure flaw allowing authenticated users to download arbitrary server log files via insufficient authorization checks on the download service API; the fix is Prime Infrastructure 3.10.6 Security Update 3.

Finally, Cisco Slido, the cloud-based audience engagement platform, patched CVE-2026-20219 (CVSS 5.4), an insecure direct object reference (IDOR) vulnerability that could have allowed authenticated attackers to view other users’ social profile data or tamper with quiz and poll results via crafted API requests.

Cisco resolved this server-side with no customer action required; researcher Rafal Golabek responsibly disclosed the flaw.

Cisco’s May 2026 advisory wave exposes critical risks across enterprise collaboration, IoT, identity, and network automation products, with several flaws enabling RCE, SSRF, DoS, and unauthorized access. Organizations should prioritize immediate patching and migration from end-of-life platforms.

Site: thecybrdef.com

For more insights and updates, follow us on Google News, Twitter, and LinkedIn.

About the Author

John

Author

John is an independent cybersecurity researcher covering vulnerabilities, malware campaigns, and emerging threats in the cybersecurity landscape.

Visit Website View All Posts