Cisco Catalyst Center Flaw Exposes Sensitive Files to Remote Attackers
CVE-2026-20191 in Cisco Catalyst Center allows unauthenticated attackers to read arbitrary files through path traversal. Affects version 3.1+ across hardware appliances and cloud deployments.
Cisco disclosed CVE-2026-20191, a high-severity path traversal vulnerability in Catalyst Center that allows unauthenticated remote attackers to read arbitrary files from affected systems. The flaw carries a CVSS score of 7.5 and impacts both hardware appliances and virtual deployments across AWS, Azure, and VMware ESXi.
The Vulnerability
The flaw exists in Catalyst Center's web interface due to insufficient input validation. Attackers can craft HTTP requests that traverse directory boundaries, escaping the intended file access restrictions to read sensitive files within the container environment.
According to Cisco's advisory, successful exploitation could expose:
- Configuration files
- Stored credentials
- System data
- Network topology information
While the vulnerability is contained within a restricted container, the accessible data could enable further attacks against the network infrastructure Catalyst Center manages.
Affected Deployments
The vulnerability impacts Catalyst Center version 3.1 and later across all deployment types:
- Hardware appliances
- AWS virtual deployments
- Azure virtual deployments
- VMware ESXi virtual machines
Versions earlier than 3.1 are not affected.
Patched Versions
Cisco released fixes in:
- Catalyst Center 3.1.6 GSMU200
- VMware ESXi 2.3.7.11-VA GSMU100 (for version 2.3.7 deployments)
No workarounds exist. Organizations must apply the patches to remediate the vulnerability.
No Active Exploitation—Yet
Cisco's Product Security Incident Response Team (PSIRT) reports no awareness of active exploitation or public proof-of-concept code at disclosure time. However, Cisco network infrastructure remains a consistent target for sophisticated threat actors.
We've covered multiple Cisco vulnerabilities under active attack this year, including the Cisco SD-WAN CVE-2026-20182 zero-day and the Interlock ransomware campaign exploiting Cisco Firewall Management Center. Attackers consistently prioritize network management platforms because they provide visibility into—and often access to—the entire infrastructure.
Why Catalyst Center Matters
Catalyst Center (formerly DNA Center) is Cisco's network management platform for campus, branch, and data center networks. It handles:
- Software image management and upgrades
- Network provisioning and automation
- Policy deployment and compliance
- Analytics and assurance
Compromise of the management platform can cascade to the devices it controls. File read vulnerabilities that expose credentials or configuration data often serve as initial footholds for broader infrastructure attacks.
Immediate Actions
Network teams should:
- Identify Catalyst Center deployments - Inventory all instances including virtual deployments
- Verify version numbers - Check if systems run 3.1 or later
- Apply patches immediately - Download from Cisco Software Center
- Restrict management access - Ensure Catalyst Center interfaces aren't exposed to untrusted networks
- Monitor for anomalous access - Review HTTP access logs for suspicious path patterns
Broader Context
Network infrastructure vulnerabilities receive less attention than endpoint or application flaws, but they often provide higher-impact access. Attackers compromising network management platforms gain visibility into traffic flows, device configurations, and potentially credentials for downstream systems.
The FortiBleed credential theft campaign linked to INC and Lynx ransomware operations demonstrated how network device compromise directly enables ransomware deployment. Organizations should treat network infrastructure patching with the same urgency as endpoint systems.
Related Articles
Cisco SD-WAN Zero-Day Exploited Since May—CVSS 10.0
CVE-2026-20182 allows unauthenticated attackers to inject rogue peers into Cisco SD-WAN fabrics. Active exploitation since May; no workaround available—patch immediately.
Jul 1, 2026Cisco Unified CM SSRF Flaw Now Dropping Webshells in the Wild
Attackers exploit CVE-2026-20230 in Cisco Unified Communications Manager to deploy webshells via Tor-routed automated attacks. Patching alone won't remove existing compromises.
Jun 25, 2026Second Cisco SD-WAN Zero-Day Hits CISA KEV in Two Weeks
CVE-2026-20262 joins CVE-2026-20245 on CISA's exploited vulnerabilities list. Attackers deploy malicious .war files via path traversal to gain root access on Catalyst SD-WAN Manager.
Jun 17, 2026Langflow AI Platform RCE Flaw Exploited — 7,000 Instances Exposed
CVE-2026-5027 allows unauthenticated attackers to write arbitrary files on Langflow servers. Patch to version 1.10.0 immediately—attackers are already exploiting exposed instances.
Jun 11, 2026