Cisco IOS XR Software CLI Privilege Escalation Vulnerabilities

Plan Patch8.8cisco-sa-iosxr-privesc-bF8D5U4WMar 11, 2026

Cisco

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple privilege escalation vulnerabilities exist in Cisco IOS XR Software that allow an authenticated local attacker to execute commands with root-level privileges or gain full administrative control of the device. CVE-2026-20040 has no workaround and requires a software update. CVE-2026-20046 can be mitigated for devices using TACACS+ command authorization by restricting non-administrative user command access.

What this means

What could happen

An authenticated local attacker could execute arbitrary commands as root on a Cisco IOS XR router or gain full administrative control, allowing them to alter routing behavior, disable failover systems, or disrupt network operations.

Who's at risk

Network operators managing Cisco IOS XR routers in any network environment (service provider, enterprise, or municipal networks). Affects all versions of IOS XR Software including devices used in critical infrastructure networks that require carrier-grade routing platforms.

How it could be exploited

An attacker with local shell access or a valid operator/engineer account on the device exploits a privilege escalation flaw in the CLI to gain root-level command execution. This could be chained with SSH/console access or leveraged by a compromised user account to fully compromise the router.

Prerequisites

Local shell or command-line access to the IOS XR device
Valid authenticated user account with CLI privileges (operator level or higher)
Physical console access or SSH/Telnet session to the device

Low complexity exploitRequires valid user credentialsCan lead to full device compromiseAffects network infrastructure availability

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

IOS XR SoftwareAll versionsFix available

Remediation & Mitigation

0/2

Do now

0/1

WORKAROUNDFor CVE-2026-20046 only: If your deployment uses TACACS+ command authorization, configure AAA command authorization policies to restrict non-administrative user access to only required commands and deny all others

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cisco IOS XR Software to a patched version as released by Cisco in the March 2026 security advisory

CVEs (2)

CVE-2026-20040 CVE-2026-20046

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a86a1954-991c-45cb-9421-769e93db0441

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.