Cisco IOx Application Hosting Environment Stored Cross-Site Scripting Vulnerability

Monitor4.8cisco-sa-iox-xss-LpGkzwtJMar 25, 2026

Cisco

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

A stored cross-site scripting (XSS) vulnerability in the Cisco IOx application hosting environment web-based management interface allows an authenticated administrator to inject malicious script code into the interface. Due to insufficient input validation, the injected code is stored and executed when other users access affected pages, potentially allowing session hijacking, credential theft, or unauthorized actions. An attacker requires valid administrative credentials to exploit this vulnerability. Affected versions are Cisco IOx 16.10.1 through 17.9.8.

What this means

What could happen

An authenticated attacker with admin credentials could inject malicious script code into the IOx web interface that executes when other administrators access the interface, potentially stealing credentials or session information or disrupting access to device management.

Who's at risk

Utilities and industrial facilities using Cisco IOx Application Hosting Environment as part of IOS XE-based edge routers, industrial switches, or connected devices for hosting customer applications. This affects network administrators and operations staff who use the web interface to manage hosted applications and device policies.

How it could be exploited

An attacker with valid admin credentials logs into the IOx web management interface, injects malicious JavaScript into input fields on vulnerable pages, and the script is stored and executed when other users (especially other admins) visit those pages in their browser, allowing cookie/session theft or actions on their behalf.

Prerequisites

Valid administrative credentials for the IOx management interface
Network access to the IOx web management interface (typically port 443 HTTPS)
Victim admin must visit a page containing the injected payload

Remotely exploitableRequires valid administrative credentialsLow attack complexityStored payload affects multiple usersNo workaround available

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Cisco IOx Application Hosting Environment Stored16.10.1 through 17.9.8Fix available

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict network access to the IOx web management interface to authorized administrative workstations only using firewall rules or network segmentation.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cisco IOS XE Software on affected devices to version 17.9.9 or later, or version 16.11.10 or later (check Cisco advisories for your specific software branch).

HARDENINGReview IOx user accounts and remove or disable any administrative accounts that are not actively used.

Long-term hardening

0/1

HARDENINGEnsure administrative credentials for IOx are unique and strong, and rotate them if any account access is suspected.

CVEs (1)

CVE-2026-20112

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/56bd67a5-9fbb-41d8-9d9d-76c2dd4460a9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.