Description
A vulnerability in the bootloader of Cisco IOS XE Software for Cisco Catalyst 9200 Series Switches, Cisco Catalyst ESS9300 Embedded Series Switches, Cisco Catalyst IE9310 and IE9320 Rugged Series Switches, and Cisco IE3500 and IE3505 Rugged Series Switches could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute arbitrary code at boot time and break the chain of trust.

This vulnerability is due to insufficient validation of software at boot time. An attacker could exploit this vulnerability by manipulating the loaded binaries on an affected device to bypass some of the integrity checks that are performed during the boot process. A successful exploit could allow the attacker to execute code that bypasses the requirement to run Cisco-signed images.

Cisco has assigned this security advisory a Security Impact Rating (SIR) of High rather than Medium as the score indicates because this vulnerability allows an attacker to bypass a major security feature of a device.
Published: 2026-03-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Boot‑time arbitrary code execution that bypasses secure boot
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the bootloader of Cisco IOS XE Software on certain Cisco Catalyst and Rugged Series Switches. The bootloader performs integrity checks on the firmware image it loads, but these checks are insufficiently validated. An attacker with either level‑15 local privileges or any physical access can modify the binaries read during boot, causing the device to execute malicious code and bypass the requirement that only Cisco‑signed images run, effectively breaking the secure boot chain of trust.

Affected Systems

Affected systems include Cisco Catalyst 9200 Series Switches, Cisco Catalyst ESS9300 Embedded Series Switches, Cisco Catalyst IE9310 and IE9320 Rugged Series Switches, and Cisco IE3500 and IE3505 Rugged Series Switches. All run Cisco IOS XE Software; specific affected firmware versions are not disclosed in the advisory.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate to high severity, yet the EPSS score is below 1%, suggesting a low current exploitation probability. Nonetheless, because the flaw allows arbitrary code execution at boot and can be triggered with physical possession or administrative credentials, it represents a serious risk. The vulnerability is not listed in the CISA KEV catalog, but the security advisory assigns it a high impact rating due to the loss of secure boot.

Generated by OpenCVE AI on March 26, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Cisco IOS XE Software patch or upgrade referenced in the Cisco security advisory
  • Reboot the device after applying the patch to re‑enforce secure boot
  • Verify that secure boot is enabled and that the device only loads Cisco‑signed images
  • Conduct a review or inventory of installed binaries to confirm no unauthorized or modified firmware is present

Generated by OpenCVE AI on March 26, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Title Bootloader Secure Boot Bypass on Cisco IOS XE Switches

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco ios Xe Software
Vendors & Products Cisco
Cisco ios Xe Software

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description A vulnerability in the bootloader of Cisco IOS XE Software for Cisco Catalyst 9200 Series Switches, Cisco Catalyst ESS9300 Embedded Series Switches, Cisco Catalyst IE9310 and IE9320 Rugged Series Switches, and Cisco IE3500 and IE3505 Rugged Series Switches could allow an authenticated, local attacker with level-15 privileges or an unauthenticated attacker with physical access to an affected device to execute arbitrary code at boot time and break the chain of trust. This vulnerability is due to insufficient validation of software at boot time. An attacker could exploit this vulnerability by manipulating the loaded binaries on an affected device to bypass some of the integrity checks that are performed during the boot process. A successful exploit could allow the attacker to execute code that bypasses the requirement to run Cisco-signed images. Cisco has assigned this security advisory a Security Impact Rating (SIR) of High rather than Medium as the score indicates because this vulnerability allows an attacker to bypass a major security feature of a device.
Weaknesses CWE-124
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Cisco Ios Xe Software
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-26T17:39:54.940Z

Reserved: 2025-10-08T11:59:15.371Z

Link: CVE-2026-20104

cve-icon Vulnrichment

Updated: 2026-03-26T17:39:50.980Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T16:16:14.143

Modified: 2026-03-26T15:13:15.790

Link: CVE-2026-20104

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:59Z

Weaknesses