Root Access via CLI: Cisco Patches Critical IOS XR Privilege Escalation Flaws
Do Son 
Cisco has issued a high-priority security advisory regarding multiple vulnerabilities in its IOS XR Software that could allow local attackers to bypass security restrictions and seize full administrative control of networking devices. The flaws, which impact the Command Line Interface (CLI), could lead to unauthorized users executing commands with the highest possible privilegesβroot.
The primary vulnerability, tracked as CVE-2026-20040, is a privilege escalation flaw found in the CLI of Cisco IOS XR Software. This issue is particularly dangerous because it affects the software regardless of the specific device configuration.
According to the Cisco advisory: “This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by passing crafted arguments to an affected CLI command”.
If successful, a low-level attacker could “execute arbitrary commands as root on the underlying operating system of an affected device,” effectively bypassing all standard security boundaries.
A second vulnerability, CVE-2026-20046, specifically targets Cisco IOS XRv 9000 Routers. Similar to the first flaw, it allows an authenticated, local attacker to escalate their privileges to root or gain complete administrative control. Cisco clarifies that these two vulnerabilities are independentβone does not need to be exploited to trigger the other, and a software release might be affected by one but not necessarily both.
Cisco has released fixed software versions to address these threats. For organizations unable to patch immediately, a limited workaround exists for devices using TACACS+ for Authentication, Authorization, and Accounting (AAA).
| Cisco IOS XR Software Release | First Fixed Release for CVE-2026-20040 | First Fixed Release for CVE-2026-20046 |
|---|---|---|
| 25.1 and earlier | Migrate to a fixed release. | Migrate to a fixed release. |
| 25.2 | 25.2.21 (Mar 2026) | 25.2.2 |
| 25.3 | Migrate to a fixed release. | Not affected. |
| 25.4 | 25.4.2 (Mar 2026) | Not affected. |
| 26.1 | Not affected. | Not affected. |
Administrators can use command authorization to “permit access only to commands that non-administrative users require and deny access to all other commands”. However, Cisco warns that customers should evaluate the impact of such mitigations on their specific network performance before deployment.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
