CVE-2026-20040 - Vulnerability Details

A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device.

This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root and execute arbitrary commands on the underlying operating system.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable no

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco IOS XR Software

unknown

Version	Status	Constraints
`6.5.3`	affected	—
`6.5.29`	affected	—
`6.5.1`	affected	—
`6.6.1`	affected	—
`6.5.2`	affected	—
`6.5.92`	affected	—
`6.5.15`	affected	—
`6.6.2`	affected	—
`7.0.1`	affected	—
`6.6.25`	affected	—
`6.5.26`	affected	—
`6.6.11`	affected	—
`6.5.25`	affected	—
`6.5.28`	affected	—
`6.5.93`	affected	—
`6.6.12`	affected	—
`6.5.90`	affected	—
`7.1.1`	affected	—
`7.0.90`	affected	—
`6.6.3`	affected	—
`6.7.1`	affected	—
`7.0.2`	affected	—
`7.1.15`	affected	—
`7.2.1`	affected	—
`7.1.2`	affected	—
`6.7.2`	affected	—
`7.0.11`	affected	—
`7.0.12`	affected	—
`7.0.14`	affected	—
`7.1.25`	affected	—
`6.6.4`	affected	—
`7.2.12`	affected	—
`7.3.1`	affected	—
`7.1.3`	affected	—
`6.7.3`	affected	—
`7.4.1`	affected	—
`7.2.2`	affected	—
`6.7.4`	affected	—
`6.5.31`	affected	—
`7.3.15`	affected	—
`7.3.16`	affected	—
`6.8.1`	affected	—
`7.4.15`	affected	—
`6.5.32`	affected	—
`7.3.2`	affected	—
`7.5.1`	affected	—
`7.4.16`	affected	—
`7.3.27`	affected	—
`7.6.1`	affected	—
`7.5.2`	affected	—
`7.8.1`	affected	—
`7.6.15`	affected	—
`7.5.12`	affected	—
`7.8.12`	affected	—
`7.3.3`	affected	—
`7.7.1`	affected	—
`6.8.2`	affected	—
`7.3.4`	affected	—
`7.4.2`	affected	—
`6.7.35`	affected	—
`6.9.1`	affected	—
`7.6.2`	affected	—
`7.5.3`	affected	—
`7.7.2`	affected	—
`6.9.2`	affected	—
`7.9.1`	affected	—
`7.10.1`	affected	—
`7.8.2`	affected	—
`7.5.4`	affected	—
`6.5.33`	affected	—
`7.8.22`	affected	—
`7.7.21`	affected	—
`7.9.2`	affected	—
`7.3.5`	affected	—
`7.5.5`	affected	—
`7.11.1`	affected	—
`7.9.21`	affected	—
`7.10.2`	affected	—
`24.1.1`	affected	—
`7.6.3`	affected	—
`7.3.6`	affected	—
`7.5.52`	affected	—
`7.11.2`	affected	—
`24.2.1`	affected	—
`24.1.2`	affected	—
`24.2.11`	affected	—
`24.3.1`	affected	—
`24.4.1`	affected	—
`24.2.2`	affected	—
`7.8.23`	affected	—
`7.11.21`	affected	—
`24.2.20`	affected	—
`24.3.2`	affected	—
`24.4.10`	affected	—
`6.5.35`	affected	—
`25.1.1`	affected	—
`24.4.2`	affected	—
`24.3.20`	affected	—
`24.4.15`	affected	—
`25.2.1`	affected	—
`6.5.351`	affected	—
`25.1.2`	affected	—
`24.3.30`	affected	—
`25.3.1`	affected	—
`6.5.352`	affected	—
`24.4.30`	affected	—
`24.2.21`	affected	—
`25.4.1`	affected	—
`25.2.2`	affected	—
`25.2.15`	affected	—
`7.2.0`	affected	—
`7.0.0`	affected	—
`25.2.30`	affected	—
`6.5.353`	affected	—
`25.1.30`	affected	—
`25.3.15`	affected	—

No data.

Vendor Product Confidence Versions

Cisco

Ios Xr Software

88%

Version	Status	Scheme	Platform
`6.5.3`	affected	semver	—
`6.5.29`	affected	semver	—
`6.5.1`	affected	semver	—
`6.6.1`	affected	semver	—
`6.5.2`	affected	semver	—
`6.5.92`	affected	semver	—
`6.5.15`	affected	semver	—
`6.6.2`	affected	semver	—
`7.0.1`	affected	semver	—
`6.6.25`	affected	semver	—
`6.5.26`	affected	semver	—
`6.6.11`	affected	semver	—
`6.5.25`	affected	semver	—
`6.5.28`	affected	semver	—
`6.5.93`	affected	semver	—
`6.6.12`	affected	semver	—
`6.5.90`	affected	semver	—
`7.1.1`	affected	semver	—
`7.0.90`	affected	semver	—
`6.6.3`	affected	semver	—
`6.7.1`	affected	semver	—
`7.0.2`	affected	semver	—
`7.1.15`	affected	semver	—
`7.2.1`	affected	semver	—
`7.1.2`	affected	semver	—
`6.7.2`	affected	semver	—
`7.0.11`	affected	semver	—
`7.0.12`	affected	semver	—
`7.0.14`	affected	semver	—
`7.1.25`	affected	semver	—
`6.6.4`	affected	semver	—
`7.2.12`	affected	semver	—
`7.3.1`	affected	semver	—
`7.1.3`	affected	semver	—
`6.7.3`	affected	semver	—
`7.4.1`	affected	semver	—
`7.2.2`	affected	semver	—
`6.7.4`	affected	semver	—
`6.5.31`	affected	semver	—
`7.3.15`	affected	semver	—
`7.3.16`	affected	semver	—
`6.8.1`	affected	semver	—
`7.4.15`	affected	semver	—
`6.5.32`	affected	semver	—
`7.3.2`	affected	semver	—
`7.5.1`	affected	semver	—
`7.4.16`	affected	semver	—
`7.3.27`	affected	semver	—
`7.6.1`	affected	semver	—
`7.5.2`	affected	semver	—
`7.8.1`	affected	semver	—
`7.6.15`	affected	semver	—
`7.5.12`	affected	semver	—
`7.8.12`	affected	semver	—
`7.3.3`	affected	semver	—
`7.7.1`	affected	semver	—
`6.8.2`	affected	semver	—
`7.3.4`	affected	semver	—
`7.4.2`	affected	semver	—
`6.7.35`	affected	semver	—
`6.9.1`	affected	semver	—
`7.6.2`	affected	semver	—
`7.5.3`	affected	semver	—
`7.7.2`	affected	semver	—
`6.9.2`	affected	semver	—
`7.9.1`	affected	semver	—
`7.10.1`	affected	semver	—
`7.8.2`	affected	semver	—
`7.5.4`	affected	semver	—
`6.5.33`	affected	semver	—
`7.8.22`	affected	semver	—
`7.7.21`	affected	semver	—
`7.9.2`	affected	semver	—
`7.3.5`	affected	semver	—
`7.5.5`	affected	semver	—
`7.11.1`	affected	semver	—
`7.9.21`	affected	semver	—
`7.10.2`	affected	semver	—
`24.1.1`	affected	semver	—
`7.6.3`	affected	semver	—
`7.3.6`	affected	semver	—
`7.5.52`	affected	semver	—
`7.11.2`	affected	semver	—
`24.2.1`	affected	semver	—
`24.1.2`	affected	semver	—
`24.2.11`	affected	semver	—
`24.3.1`	affected	semver	—
`24.4.1`	affected	semver	—
`24.2.2`	affected	semver	—
`7.8.23`	affected	semver	—
`7.11.21`	affected	semver	—
`24.2.20`	affected	semver	—
`24.3.2`	affected	semver	—
`24.4.10`	affected	semver	—
`6.5.35`	affected	semver	—
`25.1.1`	affected	semver	—
`24.4.2`	affected	semver	—
`24.3.20`	affected	semver	—
`24.4.15`	affected	semver	—
`25.2.1`	affected	semver	—
`6.5.351`	affected	semver	—
`25.1.2`	affected	semver	—
`24.3.30`	affected	semver	—
`25.3.1`	affected	semver	—
`6.5.352`	affected	semver	—
`24.4.30`	affected	semver	—
`24.2.21`	affected	semver	—
`25.4.1`	affected	semver	—
`25.2.2`	affected	semver	—
`25.2.15`	affected	semver	—
`7.2.0`	affected	semver	—
`7.0.0`	affected	semver	—
`25.2.30`	affected	semver	—
`6.5.353`	affected	semver	—
`25.1.30`	affected	semver	—
`25.3.15`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Project Subscriptions

Vendors	Products
Cisco Subscribe	Ios Xr Software Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-privesc-bF8D5U4W

History

Thu, 12 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco ios Xr Software
Vendors & Products		Cisco Cisco ios Xr Software

Wed, 11 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 11 Mar 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the CLI of Cisco IOS XR Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user arguments that are passed to specific CLI commands. An attacker with a low-privileged account could exploit this vulnerability by using crafted commands at the prompt. A successful exploit could allow the attacker to elevate privileges to root and execute arbitrary commands on the underlying operating system.
Title		Cisco IOS XR Software CLI Privilege Escalation Vulnerability
Weaknesses		CWE-78
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-privesc-bF8D5U4W
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-03-11T16:31:14.292Z

Updated: 2026-03-12T03:55:35.692Z

Reserved: 2025-10-08T11:59:15.354Z

Link: CVE-2026-20040

Vulnrichment

Updated: 2026-03-11T17:14:26.684Z

NVD

Status : Received

Published: 2026-03-11T17:16:54.747

Modified: 2026-03-11T17:16:54.747

Link: CVE-2026-20040

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-12T09:57:52Z

Weaknesses

CWE-78

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object