PROBABLYPWNED
VulnerabilitiesJuly 6, 20263 min read

Cisco Catalyst Center Flaw Exposes Sensitive Files to Remote Attackers

CVE-2026-20191 in Cisco Catalyst Center allows unauthenticated attackers to read arbitrary files through path traversal. Affects version 3.1+ across hardware appliances and cloud deployments.

Marcus Chen

Cisco disclosed CVE-2026-20191, a high-severity path traversal vulnerability in Catalyst Center that allows unauthenticated remote attackers to read arbitrary files from affected systems. The flaw carries a CVSS score of 7.5 and impacts both hardware appliances and virtual deployments across AWS, Azure, and VMware ESXi.

The Vulnerability

The flaw exists in Catalyst Center's web interface due to insufficient input validation. Attackers can craft HTTP requests that traverse directory boundaries, escaping the intended file access restrictions to read sensitive files within the container environment.

According to Cisco's advisory, successful exploitation could expose:

  • Configuration files
  • Stored credentials
  • System data
  • Network topology information

While the vulnerability is contained within a restricted container, the accessible data could enable further attacks against the network infrastructure Catalyst Center manages.

Affected Deployments

The vulnerability impacts Catalyst Center version 3.1 and later across all deployment types:

  • Hardware appliances
  • AWS virtual deployments
  • Azure virtual deployments
  • VMware ESXi virtual machines

Versions earlier than 3.1 are not affected.

Patched Versions

Cisco released fixes in:

  • Catalyst Center 3.1.6 GSMU200
  • VMware ESXi 2.3.7.11-VA GSMU100 (for version 2.3.7 deployments)

No workarounds exist. Organizations must apply the patches to remediate the vulnerability.

No Active Exploitation—Yet

Cisco's Product Security Incident Response Team (PSIRT) reports no awareness of active exploitation or public proof-of-concept code at disclosure time. However, Cisco network infrastructure remains a consistent target for sophisticated threat actors.

We've covered multiple Cisco vulnerabilities under active attack this year, including the Cisco SD-WAN CVE-2026-20182 zero-day and the Interlock ransomware campaign exploiting Cisco Firewall Management Center. Attackers consistently prioritize network management platforms because they provide visibility into—and often access to—the entire infrastructure.

Why Catalyst Center Matters

Catalyst Center (formerly DNA Center) is Cisco's network management platform for campus, branch, and data center networks. It handles:

  • Software image management and upgrades
  • Network provisioning and automation
  • Policy deployment and compliance
  • Analytics and assurance

Compromise of the management platform can cascade to the devices it controls. File read vulnerabilities that expose credentials or configuration data often serve as initial footholds for broader infrastructure attacks.

Immediate Actions

Network teams should:

  1. Identify Catalyst Center deployments - Inventory all instances including virtual deployments
  2. Verify version numbers - Check if systems run 3.1 or later
  3. Apply patches immediately - Download from Cisco Software Center
  4. Restrict management access - Ensure Catalyst Center interfaces aren't exposed to untrusted networks
  5. Monitor for anomalous access - Review HTTP access logs for suspicious path patterns

Broader Context

Network infrastructure vulnerabilities receive less attention than endpoint or application flaws, but they often provide higher-impact access. Attackers compromising network management platforms gain visibility into traffic flows, device configurations, and potentially credentials for downstream systems.

The FortiBleed credential theft campaign linked to INC and Lynx ransomware operations demonstrated how network device compromise directly enables ransomware deployment. Organizations should treat network infrastructure patching with the same urgency as endpoint systems.

Related Articles