【資安漏洞預警】Cisco IOS XR Software 存在2個重大資安漏洞
[Security Vulnerability Alert] Cisco IOS XR Software has two critical cybersecurity vulnerabilities.

發布單位:圖資處數位服務組
日期範圍:2026/3/16 ~ 2026/9/16
 
發布單位:圖資處數位服務組
日期範圍:2026/3/16 ~ 2026/9/16
行政 行政公告
全體

轉發 台灣電腦網路危機處理暨協調中心 資安訊息警訊 TWCERTCC-200-202603-00000013

[內容說明]
近日Cisco針對IOS XR Software發布重大資安公告(CVE-2026-20040,CVSS:8.8 和 CVE-2026-20046,CVSS:8.8),皆為CLI 權限提升漏洞。CVE-2026-20040可能允許經過身分驗證的本機攻擊者,以root身分在受影響裝置的底層作業系統執行任意指令;CVE-2026-20046存在於特定CLI指令的任務群組指派,可能允許經過身分驗證的本機攻擊者提升權限,並取得受影響裝置的完全管理控制權。

[影響平台]
Cisco IOS XR Software 25.1(含)之前版本
Cisco IOS XR Software 25.2版本
Cisco IOS XR Software 25.3版本
Cisco IOS XR Software 25.4版本

[建議措施]
請更新至以下版本:
【CVE-2026-20040】 Cisco IOS XR Software 25.2.21版本 Cisco IOS XR Software 25.4.2版本
備註:Cisco IOS XR Software 25.1(含)之前版本、25.3版本,請遷移至固定版本

【CVE-2026-20046】 Cisco IOS XR Software 25.2.2版本
備註:Cisco IOS XR Software 25.1(含)之前版本,請遷移至固定版本

[參考資料]
1. https://www.twcert.org.tw/tw/cp-169-10780-6b3d3-1.html

Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202603-00000013

[Content Description]
Cisco recently released a major cybersecurity advisory for IOS XR Software (CVE-2026-20040, CVSS: 8.8 and CVE-2026-20046, CVSS: 8.8), both CLI privilege escalation vulnerabilities. CVE-2026-20040 could allow an authenticated local attacker to execute arbitrary commands as root on the affected device's underlying operating system; CVE-2026-20046 exists in task group assignments for specific CLI commands, potentially allowing an authenticated local attacker to escalate privileges and gain complete administrative control of the affected device.

[Affected Platforms]
Cisco IOS XR Software versions 25.1 and earlier
Cisco IOS XR Software version 25.2
Cisco IOS XR Software version 25.3
Cisco IOS XR Software version 25.4

[Recommended Actions]
Please update to the following versions:
【CVE-2026-20040】Cisco IOS XR Software version 25.2.21 Cisco IOS XR Software version 25.4.2
Note: For Cisco IOS XR Software versions 25.1 and earlier, and 25.3, please migrate to the fixed version.

【CVE-2026-20046】Cisco IOS XR Software version 25.2.2
Note: For Cisco IOS XR Software versions 25.1 and earlier, please migrate to the fixed version.

[References]
1. https://www.twcert.org.tw/tw/cp-169-10780-6b3d3-1.html


相關附件
system_update_alt參考資料
【返回上頁】
Top↑