Opswat additionally found two different Catalyst 9300 vulnerabilities: CVE-2026-20112 (cross-site scripting) and CVE-2026-20113 (CRLF injection). These relate to the IOS XE IOx integration atmosphere which allows cloud edge computing options on Catalyst switches.
The primary of those, CVE-2026-20112, could possibly be exploited by an “authenticated person [who] may retailer malicious JavaScript payloads that may later execute within the context of one other person’s session,” mentioned Opswat in its full vulnerability analysis.
The second, CVE-2026-20113, would enable an attacker to cowl their tracks for any exploit on IOS XE IOx: “By injecting crafted management characters, an attacker can forge or manipulate log entries, probably obscuring malicious exercise and compromising the integrity of audit information,” mentioned Opswat, including that this weakens the reliability of logging mechanisms essential for monitoring, incident response, and forensic evaluation.
Patching precedence
To make headway, an attacker would want to chain the primary two vulnerabilities, CVE-2026-20114 and CVE-2026-20110, the primary of which might require authentication utilizing stolen credentials.
This barely raises the bar to any compromise, though stealing credentials for low-privilege person accounts just isn’t a serious barrier for an attacker.
Nonetheless, the truth that an attacker can elevate privileges from a fundamental Foyer Ambassador account to place a swap right into a denial-of-service state underlines the chance this vulnerability poses. A brief-term mitigation for this could be to ensure MFA safety is turned on for all person accounts accessing the Foyer Ambassador function.
