Full Report
Cisco security advisory (AV26-281)
Analysis Summary
# Vulnerability: Cisco March 2026 Semiannual IOS and IOS XE Software Security Bundled Publication
## CVE Details
*Note: As this is a bundled advisory (ERP-75297), it addresses multiple vulnerabilities. The primary critical vulnerabilities often found in these cycles include:*
- **CVE ID:** Multiple (Refer to Cisco Event Response ERP-75297)
- **CVSS Score:** Up to 9.8 (Critical)
- **CWE:** Commonly includes CWE-20 (Improper Input Validation), CWE-119 (Memory Corruption), and CWE-77 (Command Injection).
## Affected Systems
- **Products:**
- Cisco Catalyst Switches (9000, 9200, 9300 Series)
- Cisco Catalyst Rugged Series (IE3500, IE3505, IE9310, IE9320)
- Cisco Catalyst Wireless Controllers (CW9800H, CW9800M, CW9800H1)
- Cisco Catalyst SD-WAN Manager
- Cisco IOS & IOS XE Software
- Cisco Secure Firewall ASA & FTD Software
- Cisco Meraki MS390
- **Versions:** Multiple versions of IOS XE (e.g., 17.x) and IOS software.
- **Configurations:** Varies by CVE; often impacts devices with specific features enabled such as Web UI, SNMP, RESTCONF, or specific Layer 2 protocols.
## Vulnerability Description
This bundle represents Cisco's semiannual release addressing several security flaws within the IOS and IOS XE software ecosystem. The vulnerabilities typically range from **Unauthenticated Remote Code Execution (RCE)** and **Denial of Service (DoS)** to **Privilege Escalation**. Many of these stem from insufficient validation of protocol-specific traffic or malformed packets processed by the device's management interfaces or control plane.
## Exploitation
- **Status:** Historically, these bundled releases address vulnerabilities discovered internally or by researchers; however, administrators should monitor for subsequent PoC releases.
- **Complexity:** Low to Medium (depending on the specific CVE).
- **Attack Vector:** Primarily Network (Remote).
## Impact
- **Confidentiality:** High (Risk of data exfiltration or credential theft).
- **Integrity:** High (Risk of unauthorized configuration changes).
- **Availability:** High (Risk of device crashes and sustained DoS).
## Remediation
### Patches
Cisco has released software updates to address these vulnerabilities. Organizations are advised to migrate to the following consolidated release trains if applicable:
- IOS XE Software versions 17.6.x, 17.9.x, 17.12.x or later.
- Specific fixed releases are detailed in the Cisco Software Checker tool.
### Workarounds
- Disable unused services (e.g., `no ip http server`).
- Restrict management access using Infrastructure Access Control Lists (iACLs) and VTY lines.
- Use Control Plane Policing (CoPP) to limit the impact of DoS-related traffic.
## Detection
- **Indicators of Compromise:** Unexpected reboots, unusual high CPU usage, unauthorized user accounts in the configuration, or unexpected entries in syslog (e.g., `%SYS-5-CONFIG_I`).
- **Detection methods and tools:**
- Use the **Cisco Software Checker** to identify vulnerable images.
- Monitor network traffic for unusual management protocol usage (SSH/HTTPS/SNMP) from unauthorized IPs.
## References
- Cisco Event Response: hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/viewErp[.]x?alertId=ERP-75297
- Cisco Security Advisory Portal: hxxps[://]tools[.]cisco[.]com/security/center/publicationListing[.]x
- Canadian Centre for Cyber Security (AV26-281): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/cisco-security-advisory-av26-281