Cisco patches two IOS XR flaws that can let low-privileged users gain root or full admin control

Cisco has released software updates for two high-severity vulnerabilities in IOS XR Software that can let an authenticated local attacker escalate privileges on affected devices. One flaw, CVE-2026-20040, can allow a low-privileged user to execute arbitrary commands as root on the underlying operating system. The second, CVE-2026-20046, can let a low-privileged user gain full administrative control of an affected device.

The vulnerabilities were published as part of Cisco’s March 11, 2026 semiannual IOS XR Software Security Advisory bundle. Cisco says the two issues carry a High security impact rating, with the bundled advisory listing a CVSS base score of 8.8 for the IOS XR CLI privilege escalation vulnerabilities. Cisco also says it has released software updates that address the flaws.

CVE-2026-20040 is the more alarming of the pair because it can lead directly to root command execution. Cisco says the issue exists because IOS XR does not properly validate user arguments passed to specific CLI commands. An authenticated local attacker with a low-privileged account could exploit the flaw with crafted commands at the prompt and then run arbitrary commands as root on the underlying operating system.

CVE-2026-20046 takes a different path. Cisco says the flaw comes from incorrect mapping of a CLI command to task groups in the source code. A low-privileged local user could exploit it to bypass task group-based authorization checks and gain full administrative control of the device.

The affected scope differs between the two bugs. Cisco says CVE-2026-20040 affects Cisco IOS XR Software regardless of device configuration, while CVE-2026-20046 affects Cisco IOS XRv 9000 Routers regardless of configuration. Cisco also says IOS, IOS XE, and NX-OS are not affected by these vulnerabilities.

Cisco discovered both issues during internal security testing, and the company says it is not aware of public exploit code or active in-the-wild exploitation at the time of publication. That lowers the immediate panic level, but it does not reduce the urgency for network teams that rely on IOS XR in production. Privilege escalation flaws on routing infrastructure can quickly become a much bigger problem if an attacker already has local access or steals a low-level account.

What each flaw does

Why this matters for admins

These bugs do not require remote unauthenticated access, but they still matter. In many real breaches, attackers first land with limited access and then look for local privilege escalation paths. A flaw that turns a low-privileged account into root or full admin control can give an intruder a direct route to tamper with routing behavior, change configurations, or plant deeper persistence.

That risk makes patching more important than waiting for public exploit chatter. Cisco has already shipped fixes, which gives defenders a clear action path.

What Cisco recommends

• Upgrade affected devices to a fixed software release as soon as possible.
• Prioritize CVE-2026-20040 because Cisco lists no workaround for it.
• For CVE-2026-20046, use TACACS+ AAA command authorization where possible to limit non-admin users to only required commands.
• Review low-privilege accounts and task group assignments on IOS XR systems.
• Confirm whether any IOS XRv 9000 deployments remain on vulnerable releases.

Fixed software guidance

Cisco says customers should move to fixed software releases identified in the advisory. The sample versions commonly cited in Cisco’s guidance include fixed releases such as 25.2.21 and 25.4.2, depending on branch and platform eligibility. Cisco advises admins to use the advisory’s fixed software section to match their exact release train and hardware.

FAQ