Cisco Catalyst Center Vulnerability Lets Remote Attackers Read Arbitrary Files


Cisco has disclosed a high-severity vulnerability in Catalyst Center that could allow unauthenticated remote attackers to read arbitrary files from affected systems.

The flaw is tracked as CVE-2026-20191 and carries a CVSS 3.1 score of 7.5. Cisco said in its Catalyst Center security advisory that the issue comes from insufficient validation of user-supplied input.

An attacker could exploit the bug by sending a crafted HTTP request to an affected device. A successful attack could expose arbitrary files from a restricted container on the affected Catalyst Center system.

What CVE-2026-20191 Allows

CVE-2026-20191 is a path traversal vulnerability. The NVD record for CVE-2026-20191 lists the weakness as CWE-22, which covers improper restriction of a pathname to an intended directory.

The vulnerability affects confidentiality, not integrity or availability. Ciscoโ€™s scoring shows high confidentiality impact, with no direct impact listed for data modification or service disruption.

The restricted container detail matters. It means the flaw does not automatically imply full host compromise, but file-read access can still expose sensitive configuration data, tokens, logs, or internal system details.

Why Catalyst Center Is a Sensitive Target

Cisco Catalyst Center, formerly known as Cisco DNA Center, is used for centralized network management, automation, assurance, and policy operations across enterprise networks.

That role makes any file-read flaw important. A management platform can contain information that helps attackers understand network architecture, device inventory, integrations, and administrative workflows.

The issue becomes more urgent when management interfaces are exposed to the internet or reachable from weakly segmented internal networks. Attackers often scan for newly disclosed flaws after vendor advisories go public.

Affected Deployments and Fixed Releases

Deployment typeAffected releaseFirst fixed release
Hardware appliances3.13.1.6 GSMU200
Virtual appliances on AWS3.13.1.6 GSMU200
Virtual appliances on Microsoft Azure3.13.1.6 GSMU200
Virtual appliances on VMware ESXi2.3.72.3.7.11-VA GSMU100
Virtual appliances on VMware ESXi3.13.1.6 GSMU200

Cisco lists fixed software for each affected platform. Administrators should verify both the deployment type and the exact release, because the 2.3.7 VMware ESXi line has a different fixed build than the 3.1 line.

The Catalyst Center data sheet describes the product as a platform for managing network operations from a central dashboard. That central role increases the risk when a file-read issue affects the management plane.

No Workaround Available

Cisco says there are no workarounds for CVE-2026-20191. Organizations need to install the fixed software versions to fully address the flaw.

The Cisco Security Vulnerability Policy explains how Cisco handles vulnerability disclosures and fixed software guidance. For this issue, the vendorโ€™s recommended path is direct upgrade rather than configuration-only mitigation.

Security teams can still reduce exposure while planning the upgrade. They should limit access to Catalyst Center interfaces, block unnecessary external reachability, and place management systems behind trusted access controls.

Exploitation Status

Cisco PSIRT said it was not aware of public announcements or malicious use of the vulnerability when the advisory was published. No public proof-of-concept exploit was listed in the advisory at disclosure time.

The NVD entry also shows the issue as network reachable, low complexity, and requiring no privileges or user interaction. That combination usually raises patching priority even when exploitation has not yet been observed.

Organizations should not wait for confirmed attacks before taking action. Unauthenticated HTTP-based flaws in management platforms can become scanning targets quickly after disclosure.

  • Inventory all Catalyst Center hardware and virtual deployments.
  • Confirm whether any affected 3.1 or VMware ESXi 2.3.7 releases are running.
  • Upgrade affected 3.1 deployments to 3.1.6 GSMU200.
  • Upgrade affected VMware ESXi 2.3.7 deployments to 2.3.7.11-VA GSMU100.
  • Restrict access to Catalyst Center interfaces to trusted networks and administrators.
  • Review HTTP logs for unusual path traversal patterns or suspicious file access attempts.
  • Monitor for follow-on activity, including failed logins, reconnaissance, and unexpected configuration review.

Administrators should avoid exposing Catalyst Center directly to the public internet. Management systems should sit behind VPNs, zero-trust access, jump hosts, or other controlled administrative paths.

Network segmentation also matters. Ordinary user networks, guest networks, and partner networks should not have broad access to infrastructure management platforms.

Why File-Read Vulnerabilities Can Escalate Risk

Arbitrary file read does not always give an attacker immediate control of a system. However, attackers often use file access to search for secrets, configuration files, logs, certificates, and internal service details.

Those details can support future attacks. A stolen token, exposed configuration file, or readable log entry may help an attacker move from information disclosure to account abuse or lateral movement.

That is why CVE-2026-20191 should receive more attention than a routine information disclosure bug. Catalyst Center often has visibility into critical network environments.

What Security Teams Should Hunt For

AreaWhat to review
HTTP requestsEncoded paths, directory traversal patterns, and requests for sensitive file locations
Source IPsConnections from unexpected external addresses or untrusted internal zones
Management accessUnusual access attempts before or after suspicious file-read probes
Configuration changesUnexpected modifications after the exposure window
Credential activityFailed logins, new sessions, or account behavior that follows suspicious requests

The Cisco advisory says the vulnerability was found during the resolution of a Cisco Technical Assistance Center support case. That means the issue came from internal support investigation rather than a public exploit report.

Even without confirmed exploitation, defenders should assume opportunistic probing may follow. Public advisories can give attackers enough information to begin testing exposed systems.

Security Takeaway

The immediate fix is clear: affected Cisco Catalyst Center deployments need the vendor-provided software update. Since no workaround exists, patching remains the only complete remediation.

Organizations should also treat management-plane exposure as a separate risk. The Catalyst Center product page shows how central the platform can be to enterprise network operations, which makes access control especially important.

The Cisco data sheet highlights the platformโ€™s role in automation, assurance, and network visibility. The Cisco vulnerability policy also reinforces why administrators should monitor advisories and move quickly when fixed software becomes available.

FAQ

What is CVE-2026-20191?

CVE-2026-20191 is a high-severity Cisco Catalyst Center vulnerability that can allow an unauthenticated remote attacker to read arbitrary files from a restricted container on an affected system.

Is there a workaround for CVE-2026-20191?

No. Cisco says there are no workarounds for this vulnerability. Customers should upgrade affected Catalyst Center deployments to the fixed software releases listed by Cisco.

Which Cisco Catalyst Center versions fix the flaw?

Cisco lists 3.1.6 GSMU200 as the fixed release for affected 3.1 deployments. VMware ESXi virtual appliances running the 2.3.7 line should update to 2.3.7.11-VA GSMU100.

Has Cisco seen active exploitation of CVE-2026-20191?

Cisco PSIRT said it was not aware of public announcements or malicious use of the vulnerability when the advisory was published.

What should administrators do after patching Catalyst Center?

Administrators should restrict management access, review HTTP logs for suspicious file-path requests, monitor for reconnaissance, and confirm Catalyst Center is not exposed to untrusted networks.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages