Jump to the main content block
  1. Home
  2. Information Security
  3. Vulnerability Alert

【Vulnerability Alert】Cisco IOS XR Software contains two critical security vulnerabilities

publish date : 2026-03-20 update date : 2026-03-20

Source: Ministry of education information & communication security contingency platform

"" "" ""

Publication Number TACERT-ANA-2026031609030303 Publication Time 2026/03/16 09:36
Incident Type ANA-Vulnerability Alert Discovery Time 2026/03/16 09:36
Impact Level Low  
[Subject]
【Vulnerability Alert】Cisco IOS XR Software contains two critical security vulnerabilities
[Content]
Forwarded from TWCERTCC-200-202603-00000013

Recently, Cisco released a critical security advisory for IOS XR Software (CVE-2026-20040, CVSS: 8.8 and CVE-2026-20046, CVSS: 8.8), both of which are CLI privilege escalation vulnerabilities. CVE-2026-20040 may allow an authenticated local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. CVE-2026-20046 exists in the task group assignment of specific CLI commands and may allow an authenticated local attacker to escalate privileges and gain full administrative control of the affected device.

(Information Sharing Level: WHITE (Information content can be publicly disclosed)
[Affected Platform]
Cisco IOS XR Software versions up to and including 25.1
Cisco IOS XR Software version 25.2
Cisco IOS XR Software version 25.3
Cisco IOS XR Software version 25.4
[Recommended Actions]

【CVE-2026-20040】 Cisco IOS XR Software version 25.2.21 and Cisco IOS XR Software version 25.4.2
Note: For Cisco IOS XR Software versions up to and including 25.1, and version 25.3, please migrate to a fixed version.

【CVE-2026-20046】 Cisco IOS XR Software version 25.2.2
Note: For Cisco IOS XR Software versions up to and including 25.1, please migrate to a fixed version.
[Reference]
https://www.twcert.org.tw/tw/cp-169-10780-6b3d3-1.html
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer: Computer Center
Click Num:
Print