Cisco Catalyst Center Vulnerability Lets Remote Attackers Read Arbitrary Files
Cisco has disclosed a high-severity vulnerability in Catalyst Center that could allow unauthenticated remote attackers to read arbitrary files from affected systems.
The flaw is tracked as CVE-2026-20191 and carries a CVSS 3.1 score of 7.5. Cisco said in its Catalyst Center security advisory that the issue comes from insufficient validation of user-supplied input.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
An attacker could exploit the bug by sending a crafted HTTP request to an affected device. A successful attack could expose arbitrary files from a restricted container on the affected Catalyst Center system.
What CVE-2026-20191 Allows
CVE-2026-20191 is a path traversal vulnerability. The NVD record for CVE-2026-20191 lists the weakness as CWE-22, which covers improper restriction of a pathname to an intended directory.
The vulnerability affects confidentiality, not integrity or availability. Ciscoโs scoring shows high confidentiality impact, with no direct impact listed for data modification or service disruption.
The restricted container detail matters. It means the flaw does not automatically imply full host compromise, but file-read access can still expose sensitive configuration data, tokens, logs, or internal system details.
Why Catalyst Center Is a Sensitive Target
Cisco Catalyst Center, formerly known as Cisco DNA Center, is used for centralized network management, automation, assurance, and policy operations across enterprise networks.
That role makes any file-read flaw important. A management platform can contain information that helps attackers understand network architecture, device inventory, integrations, and administrative workflows.
The issue becomes more urgent when management interfaces are exposed to the internet or reachable from weakly segmented internal networks. Attackers often scan for newly disclosed flaws after vendor advisories go public.
Affected Deployments and Fixed Releases
| Deployment type | Affected release | First fixed release |
|---|---|---|
| Hardware appliances | 3.1 | 3.1.6 GSMU200 |
| Virtual appliances on AWS | 3.1 | 3.1.6 GSMU200 |
| Virtual appliances on Microsoft Azure | 3.1 | 3.1.6 GSMU200 |
| Virtual appliances on VMware ESXi | 2.3.7 | 2.3.7.11-VA GSMU100 |
| Virtual appliances on VMware ESXi | 3.1 | 3.1.6 GSMU200 |
Cisco lists fixed software for each affected platform. Administrators should verify both the deployment type and the exact release, because the 2.3.7 VMware ESXi line has a different fixed build than the 3.1 line.
The Catalyst Center data sheet describes the product as a platform for managing network operations from a central dashboard. That central role increases the risk when a file-read issue affects the management plane.
No Workaround Available
Cisco says there are no workarounds for CVE-2026-20191. Organizations need to install the fixed software versions to fully address the flaw.
The Cisco Security Vulnerability Policy explains how Cisco handles vulnerability disclosures and fixed software guidance. For this issue, the vendorโs recommended path is direct upgrade rather than configuration-only mitigation.
Security teams can still reduce exposure while planning the upgrade. They should limit access to Catalyst Center interfaces, block unnecessary external reachability, and place management systems behind trusted access controls.
Exploitation Status
Cisco PSIRT said it was not aware of public announcements or malicious use of the vulnerability when the advisory was published. No public proof-of-concept exploit was listed in the advisory at disclosure time.
The NVD entry also shows the issue as network reachable, low complexity, and requiring no privileges or user interaction. That combination usually raises patching priority even when exploitation has not yet been observed.
Organizations should not wait for confirmed attacks before taking action. Unauthenticated HTTP-based flaws in management platforms can become scanning targets quickly after disclosure.
Recommended Actions for Administrators
- Inventory all Catalyst Center hardware and virtual deployments.
- Confirm whether any affected 3.1 or VMware ESXi 2.3.7 releases are running.
- Upgrade affected 3.1 deployments to 3.1.6 GSMU200.
- Upgrade affected VMware ESXi 2.3.7 deployments to 2.3.7.11-VA GSMU100.
- Restrict access to Catalyst Center interfaces to trusted networks and administrators.
- Review HTTP logs for unusual path traversal patterns or suspicious file access attempts.
- Monitor for follow-on activity, including failed logins, reconnaissance, and unexpected configuration review.
Administrators should avoid exposing Catalyst Center directly to the public internet. Management systems should sit behind VPNs, zero-trust access, jump hosts, or other controlled administrative paths.
Network segmentation also matters. Ordinary user networks, guest networks, and partner networks should not have broad access to infrastructure management platforms.
Why File-Read Vulnerabilities Can Escalate Risk
Arbitrary file read does not always give an attacker immediate control of a system. However, attackers often use file access to search for secrets, configuration files, logs, certificates, and internal service details.
Those details can support future attacks. A stolen token, exposed configuration file, or readable log entry may help an attacker move from information disclosure to account abuse or lateral movement.
That is why CVE-2026-20191 should receive more attention than a routine information disclosure bug. Catalyst Center often has visibility into critical network environments.
What Security Teams Should Hunt For
| Area | What to review |
|---|---|
| HTTP requests | Encoded paths, directory traversal patterns, and requests for sensitive file locations |
| Source IPs | Connections from unexpected external addresses or untrusted internal zones |
| Management access | Unusual access attempts before or after suspicious file-read probes |
| Configuration changes | Unexpected modifications after the exposure window |
| Credential activity | Failed logins, new sessions, or account behavior that follows suspicious requests |
The Cisco advisory says the vulnerability was found during the resolution of a Cisco Technical Assistance Center support case. That means the issue came from internal support investigation rather than a public exploit report.
Even without confirmed exploitation, defenders should assume opportunistic probing may follow. Public advisories can give attackers enough information to begin testing exposed systems.
Security Takeaway
The immediate fix is clear: affected Cisco Catalyst Center deployments need the vendor-provided software update. Since no workaround exists, patching remains the only complete remediation.
Organizations should also treat management-plane exposure as a separate risk. The Catalyst Center product page shows how central the platform can be to enterprise network operations, which makes access control especially important.
The Cisco data sheet highlights the platformโs role in automation, assurance, and network visibility. The Cisco vulnerability policy also reinforces why administrators should monitor advisories and move quickly when fixed software becomes available.
FAQ
CVE-2026-20191 is a high-severity Cisco Catalyst Center vulnerability that can allow an unauthenticated remote attacker to read arbitrary files from a restricted container on an affected system.
No. Cisco says there are no workarounds for this vulnerability. Customers should upgrade affected Catalyst Center deployments to the fixed software releases listed by Cisco.
Cisco lists 3.1.6 GSMU200 as the fixed release for affected 3.1 deployments. VMware ESXi virtual appliances running the 2.3.7 line should update to 2.3.7.11-VA GSMU100.
Cisco PSIRT said it was not aware of public announcements or malicious use of the vulnerability when the advisory was published.
Administrators should restrict management access, review HTTP logs for suspicious file-path requests, monitor for reconnaissance, and confirm Catalyst Center is not exposed to untrusted networks.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages