TL;DR
Cisco has patched a Cisco Catalyst Center vulnerability tracked as CVE-2026-20191 (CVSS 7.5). The flaw lets an unauthenticated, remote attacker read arbitrary files from a restricted container. On the same day, the vendor disclosed seven ClamAV vulnerabilities that expose Secure Endpoint Connectors to denial-of-service attacks. The Cisco PSIRT has confirmed no exploitation in the wild for any of these flaws. Moreover, no public proof-of-concept has been reported.
Why It Matters
Catalyst Center manages switches, routers, and wireless controllers across enterprise networks. Consequently, a file read bug on this platform could expose data that helps attackers move deeper into a network. The flaw requires no authentication, which lowers the bar further. Attackers often chain file read bugs with other weaknesses to escalate access.
The ClamAV issues reach even wider. The open-source engine powers Cisco Secure Endpoint Connectors and countless third-party mail gateways and file scanners. Therefore, crashing the scanner can blind a defense layer at the exact moment malware arrives. Security teams should treat both advisories as part of one patch cycle.
How the Attacks Work
Catalyst Center Arbitrary File Read
According to the Cisco Catalyst Center advisory, “this vulnerability is due to insufficient validation of user-supplied input.” An attacker sends a crafted HTTP request to the appliance. Cisco warns that a successful exploit “could allow the attacker to read arbitrary files from a restricted container of the affected device.” The container boundary limits the exposure somewhat. Even so, unauthenticated file access on a management plane remains a serious risk.
ClamAV Parser Flaws
The ClamAV bundle advisory covers CVE-2026-20216 first. This DoS bug in the InstallShield parser stems from “improper handling of temporary resources during file scanning.” Six memory corruption flaws sit alongside it. They affect the PE (CVE-2026-20213), FSG (CVE-2026-20214), 7z (CVE-2026-20215), PESpin (CVE-2026-20217), ALZ (CVE-2026-20243), and DMG (CVE-2026-20244) parsers. Each stems from improper boundary checks that trigger an out-of-bounds buffer write. In every case, an attacker simply submits a crafted file for the engine to scan.
Cisco notes that no evidence proves these bugs enable remote code execution. However, the advisory adds a caveat. It states that “systems that are running legacy 32-bit Windows platforms are at higher risk for successful exploitation.” On Windows endpoints, a crash may freeze the machine until a reboot. On Linux and Mac, only scanning stops, so system stability holds.
Affected Versions
The Cisco Catalyst Center vulnerability affects release 3.1 on hardware appliances and on AWS and Azure virtual appliances. Cisco fixed that train in 3.1.6 GSMU200. On VMware ESXi, release 2.3.7 receives the fix in 2.3.7.11-VA GSMU100. Releases earlier than 3.1 are not vulnerable, apart from the 2.3.7 ESXi train.
For the ClamAV vulnerabilities, Secure Endpoint Connector for Windows carries a CVSS 7.5 rating. Cisco fixed it in release 8.6.2. The Linux and Mac connectors score 5.3 and receive fixes in 1.29.0 and 1.27.2, respectively. Secure Endpoint Private Cloud itself is not affected, though version 4.2.8 distributes the patched connectors.
Patch and Mitigation Steps
Cisco states plainly that “there are no workarounds that address this vulnerability” for the ClamAV flaws. As a result, upgrading is the only remediation path. For the Cisco Catalyst Center vulnerability, the vendor likewise “strongly recommends that customers upgrade to the fixed software indicated in this advisory.” Administrators should patch Catalyst Center first, since it faces the network core. After that, they can roll updated connectors through endpoint fleets. Finally, teams should watch Cisco PSIRT channels, because exploitation status can change quickly after disclosure.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.