Cisco closes partly high-risk vulnerabilities in IOS XR and Contact Center
Cisco warns of security vulnerabilities in IOS XR and Contact Center. They allow, for example, privilege escalation or denial-of-service.
(Image: VIVEK PAYGUDE/Shutterstock.com)
Cisco has published security advisories for vulnerabilities in the IOS XR operating system. Attackers can escalate their privileges or disable services using denial-of-service attacks. Additionally, Cisco's contact center products are affected by cross-site scripting vulnerabilities.
Network equipment supplier Cisco rates vulnerabilities in IOS XR as the most serious, allowing local authenticated attackers to execute commands as root or gain full control. Causes include insufficient filtering of parameters in command-line commands (CVE-2026-20040, CVSS 8.8, Risk “high”) or incorrect mapping of commands to task groups, allowing checks for these task groups to be bypassed (CVE-2026-20046, CVSS 8.8, Risk “high”). In the security advisory, Cisco names the corrected software versions and provides further details.
In addition, Cisco has issued an advisory regarding a denial-of-service vulnerability in the Intermediate System-to-Intermediate System (IS-IS) multi-instance routing function with associated updates (CVE-2026-20074, CVSS 7.4, Risk “high”). A further security note addresses a vulnerability in the Egress Packet Network Interface (EPNI) “Aligner Interrupt.” Attackers from the network can also exploit this for denial-of-service attacks on the network processor and ASIC (CVE-2026-20118, CVSS 6.8, Risk “medium”). However, deviating from the CVSS classification, Cisco classifies this as a high threat level.
Further Vulnerability in Cisco Contact Center
Furthermore, Cisco warns in another security advisory about cross-site scripting vulnerabilities in the contact center products Finesse, Packaged Contact Center Enterprise (Packaged CCE), Unified Contact Center Enterprise (Unified CCE), Unified Contact Center Express (Unified CCX), and Cisco Unified Intelligence Center. Malicious actors can exploit the cross-site scripting vulnerabilities without authentication from the network against users of the interface, for example, for a Server-Side Request Forgery attack (SSRF) (CVE-2026-20116, CVE-2026-20117, CVSS 6.1, Risk “medium”).
Videos by heise
Regarding all mentioned security advisories, Cisco states that, to the best of their current knowledge, they are not yet being exploited on the internet. IT managers should nevertheless not hesitate and apply the provided updates quickly.
Last week, Cisco already released updates for Secure Firewall Management Center and Webex, among others. With these, the developers have closed further security loopholes.
(dmk)
