Bg ShapeBg Shape
THREAT INTELLIGENCE

Cisco Security Advisories - 2nd July 2026

Affected Environment

Cisco Catalyst Center (virtual and hardware appliances on AWS, Azure, and VMware ESXi) and Cisco Secure Endpoint Connector for Linux, Mac, and Windows, plus Secure Endpoint Private Cloud.

Threat Overview

Cisco disclosed multiple high-severity vulnerabilities affecting Cisco Catalyst Center and the third-party ClamAV component integrated into Cisco products. Successful exploitation could allow remote information disclosure or trigger denial of service conditions that impact system availability.

Exposure Timeline

Advisories issued 2 July 2026. No active exploitation in the wild confirmed at time of publication. Proof-of-concept code not yet available; the recommended remediation window is ten working days.

Attack Surface

Internet-facing Catalyst Center management interfaces and any system running ClamAV-based scanning. Unauthenticated remote attackers can reach these vulnerabilities over the network without credentials.

Technical Root Cause

CVE-2026-20191 (CVSS 7.5) - Insufficient validation of user-supplied input in Cisco Catalyst Center allows an unauthenticated remote attacker to read arbitrary files from a restricted container via crafted HTTP requests.

CVE-2026-20216 (CVSS 7.5) - Improper handling of temporary resources in the ClamAV InstallShield file format parser allows an unauthenticated attacker to terminate the ClamAV scanning process and temporarily exhaust system resources.

CVE-2026-20213 (CVSS 7.5) - Improper boundary checks in the ClamAV PE file format parser may result in an out-of-bounds buffer write, causing process termination or expanded impact from memory corruption.

CVE-2026-20214 (CVSS 7.5) - Improper boundary checks in the ClamAV FSG file format parser may result in an out-of-bounds buffer write when scanning FSG-compressed portable executable content.

CVE-2026-20215 (CVSS 7.5) - Improper boundary checks in the ClamAV 7z file format parser may result in an out-of-bounds buffer write, terminating the scanning process.

CVE-2026-20217 (CVSS 7.5) - Improper boundary checks in the ClamAV PESpin file format parser may result in an out-of-bounds buffer write.

CVE-2026-20243 (CVSS 7.5) - Improper boundary checks in the ClamAV ALZ file format parser may result in an out-of-bounds buffer write.

CVE-2026-20244 (CVSS 7.5) - Improper boundary checks in the ClamAV DMG file format parser may result in an integer overflow on 32-bit platforms, terminating the scanning process.

Exploitation Pathway

For CVE-2026-20191, an attacker sends a crafted HTTP request to an exposed Catalyst Center interface to extract arbitrary files. For all ClamAV vulnerabilities, an attacker submits a crafted file of the relevant format to be scanned, triggering the parser flaw and causing process termination or memory corruption.

Operational Impact

Exploitation of CVE-2026-20191 could expose sensitive configuration data or credentials stored on the Catalyst Center appliance. ClamAV DoS vulnerabilities could disable endpoint scanning capabilities across Secure Endpoint deployments, reducing detection coverage during the outage window.

Strategic Impact

Risk is rated High for all organisation sizes across both government and commercial sectors. Cisco Catalyst Center is widely deployed in enterprise SD-WAN environments. ClamAV is embedded across multiple Cisco Secure Endpoint products, meaning a single unpatched deployment across a large estate multiplies exposure significantly.

Required Mitigation

Cisco has confirmed no workarounds are available. Upgrade to the following fixed releases as soon as operationally feasible:

Catalyst Center (Hardware and Virtual - AWS/Azure): Release 3.1 requires 3.1.6 GSMU200. Releases earlier than 3.1 are not vulnerable.

Catalyst Center (VMware ESXi): Release 2.3.7 requires 2.3.7.11-VA GSMU100. Release 3.1 requires 3.1.6 GSMU200.

ClamAV - Secure Endpoint Connector for Linux: Upgrade to 1.29.0 (CSCwt81503).

ClamAV - Secure Endpoint Connector for Mac: Upgrade to 1.27.2 (CSCwt81504).

ClamAV - Secure Endpoint Connector for Windows: Upgrade to 8.6.2 (CSCwt81501).

ClamAV - Secure Endpoint Private Cloud: Upgrade to 4.2.8 or later (CSCwu55927).

Incident Response Guidance

Implement the Principle of Least Privilege across all SD-WAN administrative accounts. Monitor authentication and system logs for signs of unauthorised privilege escalation, unexpected configuration changes, or suspicious administrative activity. Forward logs to a centralised SIEM for correlation. Use vulnerability management tooling to verify remediation status across all affected systems and detect potential exploitation attempts.

References

Cisco Security Advisory: cisco-sa-catc-file-read-wLH2vf8X. Cisco Security Advisory: cisco-sa-clamav-88cFYyxR. CVEs: CVE-2026-20191, CVE-2026-20216, CVE-2026-20213, CVE-2026-20214, CVE-2026-20215, CVE-2026-20217, CVE-2026-20243, CVE-2026-20244.

Download the Full Report

Explore More of the Latest Threat Intelligence

Trusted by clients worldwide

Logo
Logo
Logo
Logo
Logo
Logo

Your 24/7 Security Partner

Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.

Awards Image
Awards Image
Awards Image
Awards Image
Awards Image
Awards Image