Cisco has issued a high-severity security advisory warning organizations about two critical privilege-escalation vulnerabilities in its IOS XR Software.
If exploited, these flaws could allow an authenticated, local attacker to execute arbitrary commands as root or gain full administrative control over affected routing devices.
Both vulnerabilities were discovered during internal security testing by Cisco, and the company has released official software updates to address the flaws.
The vulnerabilities operate independently, meaning an attacker does not need to exploit one to leverage the other.
Cisco IOS XR Software Vulnerability
CVE-2026-20040: Root Command Execution
Discovered by Tristan Van Egroo of Cisco’s Advanced Security Initiatives Group (ASIG), this vulnerability stems from insufficient validation of user arguments passed to specific Command-Line Interface (CLI) commands.
An attacker with a low-privileged account can exploit this flaw by inputting specially crafted commands at the prompt.
A successful exploit elevates the attacker’s privileges to root, allowing them to execute arbitrary commands directly on the underlying operating system.
CVE-2026-20046: Administrative Control Bypass
This secondary vulnerability arises from incorrect mapping of a CLI command to task groups in the software’s source code.
A low-privileged user can exploit this flaw using specific CLI commands to bypass task group-based checks.
Successful exploitation hands the attacker full administrative control of the device, completely bypassing standard authorization checks.
These vulnerabilities specifically target the IOS XR environment:
- CVE-2026-20040 affects Cisco IOS XR Software across all device configurations.
- CVE-2026-20046 specifically impacts Cisco IOS XRv 9000 Routers, regardless of configuration.
Cisco has explicitly confirmed that its IOS, IOS XE, and NX-OS software lines are not vulnerable to these exploits.
Cisco strongly recommends that network administrators upgrade to fixed software releases immediately. Software Maintenance Updates (SMUs) are also available for specific platforms.
Administrators should take the following actions:
- Upgrade Firmware: Migrate affected systems to the latest fixed release (e.g., 25.2.21 or 25.4.2) as outlined in the official advisory.
- Apply Workarounds (CVE-2026-20046 Only): For devices utilizing TACACS+ authentication, authorization, and accounting (AAA), administrators can configure command authorization to restrict access. This permits non-administrative users to access only strictly required commands while actively denying all others.
- Prioritize CVE-2026-20040: There are currently no workarounds for this vulnerability, making an immediate software upgrade the only viable defense.
According to the Cisco Product Security Incident Response Team (PSIRT), there are no known public exploits or malicious threat actor campaigns currently leveraging these vulnerabilities in the wild.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
