Cisco Patches High-Severity Vulnerabilities in Enterprise Products

Cisco on Wednesday announced patches for multiple vulnerabilities across its enterprise products, including five high-severity bugs.

Two high-severity issues, tracked as CVE-2026-20034 and CVE-2026-20035, which could lead to server-side request forgery (SSRF) attacks, were resolved in Cisco Unity Connection.

Rooted in the insufficient validation of user-supplied input and specific HTTP requests, the flaws could be exploited by remote, authenticated attackers to execute arbitrary code as root or send network requests sourced from the affected device.

Cisco addressed a high-severity defect (CVE-2026-20185) in the Simple Network Management Protocol (SNMP) subsystem of SG350 and SG350X switches that could be exploited to cause a denial-of-service (DoS) condition.

Improper error handling during the parsing of response data for a specific SNMP request could allow attackers to reload the device, the company explains.

“This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMPv2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMPv3, the attacker must have valid SNMP user credentials for the affected system,” Cisco notes.

The Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO) were found vulnerable to a high-severity DoS vulnerability tracked as CVE-2026-20188.

According to Cisco, the issue exists because rate-limiting on incoming network connections was not properly implemented, allowing a remote, unauthenticated attacker to send a large number of connection requests to a vulnerable system and exhaust resources.

The fifth high-severity bug, tracked as CVE-2026-20167, was addressed in the web interface of IoT Field Network Director. Due to improper error handling, the weakness allows attackers to submit crafted input and cause the router to reload, leading to a DoS condition.

On Wednesday, Cisco also resolved seven medium-severity vulnerabilities in IoT Field Network Director, Slido, Prime Infrastructure, Identity Services Engine (ISE), and Enterprise Chat and Email (ECE).

The bugs could lead to file reads, command execution, information disclosure, arbitrary log file downloads, and browser-based attacks.

Cisco says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s security advisories page.

Related: Apple Patches iOS Flaw Allowing Recovery of Deleted Chats

Related: Oracle Patches 450 Vulnerabilities With April 2026 CPU

Related: Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster

Related: Splunk Enterprise Update Patches Code Execution Vulnerability