CVE-2026-20040
Published: 11 March 2026
Summary
CVE-2026-20040 is a high-severity OS Command Injection (CWE-78) vulnerability in Cisco IOS XR (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient validation of user arguments in CLI commands, preventing OS command injection exploits.
Enforces least privilege for low-privileged accounts and CLI processes, blocking privilege escalation to root even if injection occurs.
Requires timely remediation of the specific software flaw in Cisco IOS XR CLI via patching as recommended in the vendor advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local CLI command injection (CWE-78) directly enables privilege escalation to root (T1068) on a network device by abusing the Network Device CLI interpreter (T1059.008).
NVD Description
A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user…
more
arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root and execute arbitrary commands on the underlying operating system.
Deeper analysisAI
CVE-2026-20040 is a vulnerability in the Command-Line Interface (CLI) of Cisco IOS XR Software that enables an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of affected devices. The issue arises from insufficient validation of user arguments passed to specific CLI commands, classified under CWE-78 (OS Command Injection). It has a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.
An attacker requires local access and a low-privileged account to exploit the vulnerability by entering crafted commands at the CLI prompt. Successful exploitation results in privilege escalation to root, allowing arbitrary command execution on the operating system, which could lead to full control over the device.
Cisco's security advisory provides details on affected versions, exploitation conditions, and mitigation strategies, including software updates where available. Practitioners should refer to the advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-privesc-bF8D5U4W for patch deployment and configuration guidance.
Details
- CWE(s)