Full Report
Cisco security advisory (AV26-223)
Analysis Summary
This summary is based on the Cisco Security Advisory (AV26-223) consolidated report. Note that this advisory covers multiple distinct vulnerabilities across different Cisco product lines.
---
# Vulnerability: Multiple Vulnerabilities in Cisco IOS XR and Contact Center Products
## CVE Details
*This advisory covers multiple CVEs. Key high-impact entries include:*
- **CVE ID:** CVE-2026-20054 (EPNI DoS), CVE-2026-20078 (ISIS DoS), CVE-2026-20081 (XR PrivEsc), CVE-2026-20092 (Contact Center XSS)
- **CVSS Score:** Range 6.1 (Medium) to 8.6 (High)
- **CWE:** CWE-400 (Resource Exhaustion), CWE-269 (Improper Privilege Management), CWE-79 (Cross-site Scripting)
## Affected Systems
- **Products:**
- Cisco NCS 5700 Series (Line cards and Fixed Chassis)
- Cisco IOS XR Software
- Cisco Unified Intelligence Center / Cisco Finesse
- Cisco Packaged CCE / Unified CCE / Unified CCX
- **Versions:** Multiple versions; Contact Center products are affected in "all versions" prior to the fixed releases.
- **Configurations:** Specific to IOS XR hardware-based Egress Packet Network Interface (EPNI) and multi-instance IS-IS configurations.
## Vulnerability Description
1. **IOS XR EPNI DoS:** A flaw in the Egress Packet Network Interface aligner interrupt handling on NCS 5700 series hardware. Processing specific traffic patterns can lead to a line card reload.
2. **ISIS DoS:** A vulnerability in the multi-instance Intermediate System-to-Intermediate System (IS-IS) protocol implementation where malformed packets can cause the routing protocol process to crash.
3. **IOS XR CLI Privilege Escalation:** Weaknesses in command-line interface validation allow a local, authenticated user with low privileges to execute commands with higher privileges (e.g., root/admin).
4. **Contact Center XSS:** Insufficient validation of user-supplied input in the web-based management interfaces allowed for Cross-Site Scripting (XSS).
## Exploitation
- **Status:** Not exploited in the wild (at time of publication).
- **Complexity:** Low to Medium (depending on the specific CVE).
- **Attack Vector:**
- **Network:** (DoS and XSS vulnerabilities)
- **Local:** (Privilege Escalation vulnerabilities)
## Impact
- **Confidentiality:** Low to Medium (High for XSS session hijacking).
- **Integrity:** Medium (High for Privilege Escalation).
- **Availability:** High (Line card reloads and protocol service crashes).
## Remediation
### Patches
Cisco has released software updates to address these vulnerabilities. Administrators should migrate to the following or later versions:
- **IOS XR:** Refer to Cisco Software Center for specific maintenance releases for NCS 5700 series.
- **Contact Center:** Apply the latest engineering specials or minor releases as specified in the individual sub-advisories.
### Workarounds
- **DoS vulnerabilities:** Implement Infrastructure Access Control Lists (iACLs) to limit traffic to the control plane and trusted neighbors.
- **XSS:** No direct workaround; update to fixed versions or implement strict web application firewall (WAF) rules.
## Detection
- **Indicators of Compromise:**
- Unexpected reloads of NCS 5700 line cards without a clear hardware fault.
- `isis` process crashes recorded in IOS XR system logs.
- Unauthorized CLI command execution logs in AAA (Authentication, Authorization, and Accounting) reports.
- **Detection methods and tools:** Cisco Software Checker can be used to scan specific IOS XR versions against these advisories.
## References
- **Vendor Advisories:**
- hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xrncs-epni-int-dos-TWMffUsN
- hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-isis-dos-kDMxpSzK
- hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-privesc-bF8D5U4W
- hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-xss-MrNAH5Jh
- **Consolidated Listing:** hxxps://tools[.]cisco[.]com/security/center/publicationListing[.]x