Cisco IOS XE Software for Cisco Catalyst and Rugged Series Switches Secure Boot Bypass Vulnerability

Monitor6.1cisco-sa-xe-secureboot-bypass-B6uYxYSZMar 25, 2026

Cisco

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the bootloader of Cisco IOS XE Software for Cisco Catalyst and Rugged Series Switches allows an authenticated attacker with level-15 privileges or an unauthenticated attacker with physical access to bypass Secure Boot and execute arbitrary code at boot time. The vulnerability stems from insufficient validation of software during the boot process. An attacker could manipulate loaded binaries to bypass integrity checks, allowing execution of non-Cisco-signed code and breaking the chain of trust. This affects Catalyst 9200 Series, Catalyst ESS9300 Embedded Series, Catalyst IE9310/IE9320 Rugged Series, and IE3500/IE3505 Rugged Series Switches running vulnerable firmware versions.

What this means

What could happen

An attacker with physical access or administrative credentials can bypass Secure Boot on affected switches and run unsigned code, potentially gaining persistent control over critical network infrastructure devices. This breaks the chain of trust and allows circumvention of firmware integrity checks.

Who's at risk

Water utilities and electric utilities using Cisco Catalyst 9200, Catalyst ESS9300, Catalyst IE9310/IE9320 Rugged, or IE3500/IE3505 Rugged Series Switches in their network backbone or SCADA environments. Any switch running IOS XE versions 16.12.6 through 17.9.8 is vulnerable.

How it could be exploited

An attacker with level-15 CLI access (network admin credentials) or with physical access to the device can manipulate loaded binaries in memory or storage to bypass bootloader integrity checks. During the next reboot, the compromised binaries execute before security validations complete, allowing arbitrary code execution and Secure Boot bypass.

Prerequisites

Physical access to the device's console/storage, OR
Valid administrator (level-15) credentials and network access to the device's management interface

Affects critical network infrastructure (switches)Requires physical access OR administrator credentialsBypasses major security feature (Secure Boot)No workaround available, patch required

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Cisco IOS XE Software for Cisco Catalyst and Rugged Series Switches Secure Boot Bypass16.12.6 through 17.9.8Fix available

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict physical access to affected switch devices, including console ports and drive bays

HARDENINGLimit administrative (level-15) credential access to switches through network access controls and strong authentication policies

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cisco IOS XE Software to version 17.9.8 or later on all affected Catalyst and Rugged Series Switches

Long-term hardening

0/1

HARDENINGEnable audit logging on all affected switches to detect unauthorized configuration changes or boot anomalies

CVEs (1)

CVE-2026-20104

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/deba10d8-297c-40a7-b1a7-45ff13ea02e5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.