#VU124591 Improper Handling of Extra Parameters in Cisco IOS XE - CVE-2026-20083
Published: March 25, 2026
Vulnerability identifier: #VU124591
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-20083
CWE-ID: CWE-235
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco IOS XE
Cisco IOS XE
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper handling of a malformed SCP request in the Secure Copy Protocol (SCP) server feature when processing SCP commands over SSH. A local user can send a specially crafted SCP command to cause the device to reload unexpectedly, resulting in a denial of service.
Successful exploitation requires the attacker to be authenticated with low privileges and the SCP server feature to be enabled on the device.
Remediation
Install security update from vendor's website.