Cisco Catalyst Switches - Chained Vulnerabilities Exposed
Basically, hackers can exploit flaws in Cisco switches to shut down networks.
Cisco's Catalyst 9300 switches are vulnerable to chained exploits that could lead to denial-of-service. This affects many enterprises relying on these devices. Immediate patching is crucial to safeguard network operations.
The Flaw
Cisco's Catalyst 9300 Series switches, widely used in enterprise environments, have been found to contain four security vulnerabilities. Among these, two vulnerabilities, CVE-2026-20114 and CVE-2026-20110, can be chained together to create a denial-of-service (DoS) condition. Discovered by Opswat's Unit 515 Critical Infrastructure Protection Lab, these flaws allow attackers to escalate privileges from a low-level user account to a point where they can effectively disable the switch.
The first vulnerability is linked to the Lobby Ambassador account, which is designed for non-technical staff to manage guest Wi-Fi access. This account has a command injection vulnerability (CVE-2026-20114) that lets attackers create a MAC-based account with elevated privileges. The second vulnerability (CVE-2026-20110) stems from insufficient sanitization, allowing attackers to elevate their privileges further and put the switches into maintenance mode, halting all traffic.
What's at Risk
The implications of these vulnerabilities are significant. If exploited, they could lead to a complete shutdown of network services for organizations relying on these switches. This is especially concerning given the critical role that Cisco Catalyst switches play in enterprise infrastructure. Even though the individual CVSS scores for these vulnerabilities range from 4.8 to 6.5, the ability to chain them amplifies the risk, making them a high-priority concern for IT departments.
Additionally, two other vulnerabilities, CVE-2026-20112 (cross-site scripting) and CVE-2026-20113 (CRLF injection), also exist but are less critical. These could allow attackers to manipulate logs and execute malicious scripts, further compromising the integrity of the system.
Patch Status
Cisco has addressed all four vulnerabilities in its March 25 semiannual Cisco IOS and IOS XE Software Security Advisory. While the patching process took longer than expected due to Cisco's twice-yearly cycle, the vulnerabilities have been officially resolved. Opswat reported these issues to Cisco in August 2025, but the remediation process extended into the next advisory window.
For organizations using these switches, it is crucial to apply the patches as soon as possible. Cisco's Software Checker tool can help determine if a switch is vulnerable based on its current software or firmware version. For immediate mitigation, enabling multi-factor authentication (MFA) for all accounts accessing the Lobby Ambassador feature is recommended.
Immediate Actions
Organizations should prioritize patching their Cisco Catalyst 9300 switches to prevent potential exploitation of these vulnerabilities. Here are some immediate actions to consider:
- Apply the latest patches from Cisco’s advisory to close the vulnerabilities.
- Enable MFA for all user accounts, especially those with access to the Lobby Ambassador feature.
- Monitor network traffic closely for any unusual activity that may indicate an attempted exploit.
- Educate staff about the importance of security practices, including recognizing phishing attempts that could lead to credential theft.
By taking these steps, organizations can significantly reduce their risk of falling victim to attacks exploiting these vulnerabilities.