Cyber Resilience

CVE-2026-20040

High

Published: 11 March 2026

Published
11 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0017 6.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-20040 is a high-severity OS Command Injection (CWE-78) vulnerability in Cisco IOS XR (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-20040 is a vulnerability in the Command-Line Interface (CLI) of Cisco IOS XR Software that enables an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of affected devices. The issue arises from insufficient validation of user arguments passed to specific CLI commands, classified under CWE-78 (OS Command Injection). It has a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

An attacker requires local access and a low-privileged account to exploit the vulnerability by entering crafted commands at the CLI prompt. Successful exploitation results in privilege escalation to root, allowing arbitrary command execution on the operating system, which could lead to full control over the device.

Cisco's security advisory provides details on affected versions, exploitation conditions, and mitigation strategies, including software updates where available. Practitioners should refer to the advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-privesc-bF8D5U4W for patch deployment and configuration guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user…

more

arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root and execute arbitrary commands on the underlying operating system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Local CLI command injection (CWE-78) directly enables privilege escalation to root (T1068) on a network device by abusing the Network Device CLI interpreter (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-46117Shared CWE-78
CVE-2026-30815Shared CWE-78
CVE-2026-0631Shared CWE-78
CVE-2025-20138Shared CWE-78
CVE-2025-54404Shared CWE-78
CVE-2024-5461Shared CWE-78
CVE-2025-54403Shared CWE-78
CVE-2026-3828Shared CWE-78
CVE-2024-26012Shared CWE-78
CVE-2025-15518Shared CWE-78

Affected Assets

Cisco
IOS XR
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient validation of user arguments in CLI commands, preventing OS command injection exploits.

prevent

Enforces least privilege for low-privileged accounts and CLI processes, blocking privilege escalation to root even if injection occurs.

prevent

Requires timely remediation of the specific software flaw in Cisco IOS XR CLI via patching as recommended in the vendor advisory.

References