Home / Vulnerability Intelligence / CVE-2026-20040

CVE-2026-20040 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 11, 2026

Cisco IOS XR Software - Command Injection

Published: March 11, 2026Updated: March 11, 2026

Overview

Cisco IOS XR Software contains a command injection caused by insufficient validation of user arguments in CLI commands, letting authenticated local attackers escalate privileges to root and execute arbitrary commands.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 3.5%(Probability of exploitation in next 30 days)

Impact

Authenticated local attackers can execute arbitrary commands as root, leading to full system compromise.

Mitigation

Update to the latest available version of Cisco IOS XR Software.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-privesc-bF8D5U4W

Social Media Activity(1 post)

Jeff Hall - PCIGuru :verified:

@jbhall56

Mar 12, 2026

The most severe of these issues are CVE-2026-20040 and CVE-2026-20046 (CVSS score of 8.8), two bugs that could be exploited to execute arbitrary commands as root or gain administrative control of a device. https://www.securityweek.com/cisco-patches-high-severity-ios-xr-vulnerabilities-2/

View original post

Related Resources

Details

CVE ID: CVE-2026-20040
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: new
EPSS: 3.5%
Social Posts: 1

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

3.5%Probability of exploitation in the next 30 days