Full Report
Cisco security advisory (AV26-430)
Analysis Summary
# Vulnerability: Multiple Cisco Product Vulnerabilities (May 2026 Batch)
## CVE Details
*Note: Specific CVE IDs were referenced via the advisory links provided in the source.*
- **CVE ID:** CVE-2026-20150 (RCE), CVE-2026-20151 (SSRF), CVE-2026-20155 (DoS), CVE-2026-20160 (Connection Exhaustion)
- **CVSS Score:** 9.8 (Critical) - 5.3 (Medium)
- **CWE:** CWE-94 (Code Injection), CWE-918 (SSRF), CWE-400 (Resource Exhaustion)
## Affected Systems
- **Products:**
- Cisco Unity Connection
- Cisco SG350 and SG350X Managed Switches
- Cisco Crosswork Network Controller (CNC)
- Cisco Network Services Orchestrator (NSO)
- Cisco IoT Field Network Director (FND)
- **Versions:**
- **Unity Connection:** Versions < 12.5, < 14SU5, and < 15SU4
- **SG350/SG350X:** Multiple versions and models (Legacy hardware)
- **CNC:** Version 7.1 and prior
- **NSO:** Version 6.3 and prior; fixed in 6.4.1.3
- **IoT FND:** Version 4 and prior; fixed in 5.0.0-117
- **Configurations:**
- Unity flaws impact the web-based management interface.
- SG350 flaws require SNMP to be enabled.
- NSO/CNC flaws involve specific API endpoint exposures.
## Vulnerability Description
This advisory covers several distinct flaw types across the Cisco portfolio:
1. **Unity Connection RCE/SSRF:** Improper validation of user-supplied input in the web interface allows an unauthenticated remote attacker to execute arbitrary code or perform server-side request forgery.
2. **SNMP DoS (SG350/SG350X):** A vulnerability in the SNMP processing logic allows an attacker to cause a reload of the device by sending crafted SNMP packets.
3. **Connection Exhaustion (CNC/NSO):** An unauthenticated attacker can flood the management interface with TCP connections, leading to resource exhaustion and denial of service for legitimate administrators.
4. **IoT FND Vulnerabilities:** Flaws related to improper handling of specific network requests that can lead to system instability.
## Exploitation
- **Status:** Not currently exploited in the wild (based on advisory date); internal discovery.
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (for RCE/SSRF)
- **Integrity:** High (for RCE)
- **Availability:** High (for DoS and Connection Exhaustion)
## Remediation
### Patches
- **Unity Connection:** Upgrade to 12.5(1) service releases, 14SU5, or 15SU4.
- **IoT FND:** Upgrade to 5.0.0-117 or later.
- **NSO:** Upgrade to 6.4.1.3 or later.
### Workarounds
- **SNMP DoS:** Disable SNMP if not required, or restrict SNMP access using Access Control Lists (ACLs) to trusted management hosts only.
- **Connection Exhaustion:** Implementation of rate-limiting or infrastructure ACLs (iACLs) to limit the frequency of connections to the management plane.
## Detection
- **Indicators of Compromise:** Large volumes of TCP SYN packets directed at management ports; unexpected reboots of SG350 switches; unusual server-originated traffic (SSRF signifier).
- **Detection methods and tools:** Monitor system logs for unauthorized access attempts to `https://<device-ip>/` and audit SNMP traffic patterns.
## References
- **Cisco Unity RCE:** hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-rce-ssrf-hENhuASy
- **Cisco SG350 SNMP DoS:** hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sg350-snmp-dos-GEFZr2Tj
- **Cisco NSO/CNC DoS:** hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-dos-7Egqyc
- **Cisco IoT FND:** hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iot-fnd-dos-n8N26Q4u
- **Cisco Advisory Listing:** hxxps://tools[.]cisco[.]com/security/center/publicationListing[.]x