Network Security Cisco Patches High-Severity Vulnerabilities in Enterprise Products Successful exploitation of the flaws could lead to code execution, server-side request forgery attacks, and denial-of-service conditions. By Ionut Arghire | May 7, 2026 (7:24 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Cisco on Wednesday announced patches for multiple vulnerabilities across its enterprise products, including five high-severity bugs. Two high-severity issues, tracked as CVE-2026-20034 and CVE-2026-20035, which could lead to server-side request forgery (SSRF) attacks, were resolved in Cisco Unity Connection. Rooted in the insufficient validation of user-supplied input and specific HTTP requests, the flaws could be exploited by remote, authenticated attackers to execute arbitrary code as root or send network requests sourced from the affected device. Cisco addressed a high-severity defect (CVE-2026-20185) in the Simple Network Management Protocol (SNMP) subsystem of SG350 and SG350X switches that could be exploited to cause a denial-of-service (DoS) condition. Improper error handling during the parsing of response data for a specific SNMP request could allow attackers to reload the device, the company explains. “This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMPv2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMPv3, the attacker must have valid SNMP user credentials for the affected system,” Cisco notes. Advertisement. Scroll to continue reading. The Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO) were found vulnerable to a high-severity DoS vulnerability tracked as CVE-2026-20188. According to Cisco, the issue exists because rate-limiting on incoming network connections was not properly implemented, allowing a remote, unauthenticated attacker to send a large number of connection requests to a vulnerable system and exhaust resources. The fifth high-severity bug, tracked as CVE-2026-20167, was addressed in the web interface of IoT Field Network Director. Due to improper error handling, the weakness allows attackers to submit crafted input and cause the router to reload, leading to a DoS condition. On Wednesday, Cisco also resolved seven medium-severity vulnerabilities in IoT Field Network Director, Slido, Prime Infrastructure, Identity Services Engine (ISE), and Enterprise Chat and Email (ECE). The bugs could lead to file reads, command execution, information disclosure, arbitrary log file downloads, and browser-based attacks. Cisco says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s security advisories page. Related: Apple Patches iOS Flaw Allowing Recovery of Deleted Chats Related: Oracle Patches 450 Vulnerabilities With April 2026 CPU Related: Progress Patches Multiple Vulnerabilities in MOVEit WAF, LoadMaster Related: Splunk Enterprise Update Patches Code Execution Vulnerability Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Government, Scientific Entities Hit via Daemon Tools Supply Chain Attack Oracle Debuts Monthly Critical Security Patch Updates Critical Bug Could Expose 300,000 Ollama Deployments to Information Theft Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server Karakurt Ransomware Negotiator Sentenced to Prison MetInfo, Weaver E-cology Vulnerabilities in Attackers’ Crosshairs DigiCert Revokes Certificates After Support Portal Hack Exploitation of ‘Copy Fail’ Linux Vulnerability Begins Latest News Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack Claude AI Guided Hackers Toward OT Assets During Water Utility Intrusion Autonomous Offensive Security Firm XBOW Raises $35 Million Herd Security Raises $3 Million for AI-Powered Training Platform Iranian APT Intrusion Masquerades as Chaos Ransomware Attack Romanian Man Extradited to US for Role in Hacking Scheme 17 Years Ago CISA Launches ‘CI Fortify’ to Prepare Critical Infrastructure for Geopolitical Cyber Conflict Sophisticated Quasar Linux RAT Targets Software Developers Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: ROSI for CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Remedio has appointed of Cynthia Stanton as Chief Marketing Officer. Jacki Monson has joined CVS Health as SVP, Deputy CISO. Gigi Schumm has been promoted to Chief Revenue Officer at Securonix. More People On The Move Expert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email