CVE-2026-20110
Privilege Misconfiguration in Cisco IOS XE CLI Causes DoS
Publication date: 2026-03-25
Last updated on: 2026-03-25
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | ios_xe | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the CLI of Cisco IOS XE Software and allows an authenticated, local attacker with low privileges to cause a denial of service (DoS) condition.
The issue arises because the start maintenance command is incorrectly associated with insufficient privileges, enabling a low-privileged user to execute it.
By exploiting this, the attacker can put the device into maintenance mode, which shuts down interfaces and results in a denial of service.
A device administrator can recover the device by connecting to the CLI and issuing the stop maintenance command.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a low-privileged authenticated user to cause a denial of service on the affected Cisco IOS XE device.
The denial of service occurs because the device is put into maintenance mode, which shuts down network interfaces, potentially disrupting network connectivity and operations.
This could lead to network outages, loss of availability of critical services, and operational disruptions until an administrator intervenes to restore normal operation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring if the device is unexpectedly in maintenance mode, which causes interfaces to shut down. Since the vulnerability is exploited via the start maintenance command in the CLI by a low-privileged user, checking the device's current mode and interface status can help identify exploitation.
- Use the CLI to check if the device is in maintenance mode.
- Check interface statuses to see if they are shut down unexpectedly.
- Review CLI command history or logs for the use of the 'start maintenance' command by low-privileged users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, restrict access to the management CLI to trusted and authorized users only.
If the device is found in maintenance mode due to exploitation, connect to the CLI as an administrator and use the 'stop maintenance' command to restore normal operations.
Review and adjust privilege levels associated with the 'start maintenance' command to prevent low-privileged users from executing it.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.