Cisco IOx Application Hosting Environment Carriage Return Line Feed Injection Vulnerability

Monitor5.3cisco-sa-iox-crlf-NvgKTKJZMar 25, 2026

Cisco

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the IOx application hosting environment management interface allows an unauthenticated, remote attacker to inject carriage return and line feed characters via crafted packets. The interface does not properly validate user input. A successful exploit could allow the attacker to inject false log entries, corrupt log files, or obscure legitimate log events, impairing audit and forensic capabilities. Affected versions: IOS XE 16.10.1 through 17.9.8. Cisco has released software updates to address this vulnerability.

What this means

What could happen

An attacker could inject false log entries or corrupt log files on your edge or branch router, making it difficult to audit or investigate security events and operational changes.

Who's at risk

Network administrators at utilities and municipalities running Cisco edge routers or branch office appliances with IOx application hosting enabled (IOS XE 16.10.1 through 17.9.8). This affects Cisco ASR, ISR, and CSR series routers commonly used in industrial network deployments.

How it could be exploited

An attacker on the network sends specially crafted packets to the IOx management web interface port. The interface does not validate the input properly, allowing the attacker to insert carriage return and line feed characters into the logs, creating fake entries or disrupting the log file structure.

Prerequisites

Network access to the IOx management interface (typically port 80 or 443)
The affected IOS XE version must be running and have IOx enabled

remotely exploitableno authentication requiredlow complexity

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Cisco IOx Application Hosting Environment Carriage Return Line Feed Injection16.10.1 through 17.9.8Fix available

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cisco IOS XE Software to version 17.10.1 or later on all affected routers

CVEs (1)

CVE-2026-20113

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/25ebf95a-a257-48e8-b58f-6f852cd7bd06

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.