CVE-2026-20119
Published: 04 February 2026
Summary
CVE-2026-20119 is a high-severity Improper Validation of Specified Type of Input (CWE-1287) vulnerability in Cisco TelePresence Collaboration (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-20119 is a vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software. It stems from insufficient validation of input received by an affected device, which could allow an unauthenticated, remote attacker to trigger a denial of service (DoS) condition. The issue is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-1287 (Improper Validation of Specified Index or Position).
An unauthenticated, remote attacker can exploit this vulnerability by sending crafted text to the affected device for rendering, such as a specially crafted meeting invitation. No user interaction is required, including no need to accept the invitation. Successful exploitation causes the device to reload, resulting in a temporary DoS condition until it restarts.
Mitigation details and affected versions are outlined in the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-tce-roomos-dos-9V9jrC2q. Security practitioners should consult this advisory for patching instructions and workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5422
Vulnerability details
A vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due…
more
to insufficient validation of input received by an affected device. An attacker could exploit this vulnerability by getting the affected device to render crafted text, for example, a crafted meeting invitation. As indicated in the CVSS score, no user interaction is required, such as accepting the meeting invitation. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated crafted input triggers device reload/DoS via improper input validation in exposed endpoint software, directly enabling T1190 (public-facing app exploitation) and T1499.004 (application/system exploitation for availability impact).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause of insufficient validation of crafted text inputs in the text rendering subsystem, preventing exploitation leading to DoS.
Requires timely remediation of the identified flaw through vendor patching as specified in the Cisco advisory, eliminating the vulnerability.
Protects against denial-of-service events by limiting the impact of unauthenticated remote crafted inputs causing device reloads.