

Cisco Catalyst Center (virtual and hardware appliances on AWS, Azure, and VMware ESXi) and Cisco Secure Endpoint Connector for Linux, Mac, and Windows, plus Secure Endpoint Private Cloud.
Cisco disclosed multiple high-severity vulnerabilities affecting Cisco Catalyst Center and the third-party ClamAV component integrated into Cisco products. Successful exploitation could allow remote information disclosure or trigger denial of service conditions that impact system availability.
Advisories issued 2 July 2026. No active exploitation in the wild confirmed at time of publication. Proof-of-concept code not yet available; the recommended remediation window is ten working days.
Internet-facing Catalyst Center management interfaces and any system running ClamAV-based scanning. Unauthenticated remote attackers can reach these vulnerabilities over the network without credentials.
CVE-2026-20191 (CVSS 7.5) - Insufficient validation of user-supplied input in Cisco Catalyst Center allows an unauthenticated remote attacker to read arbitrary files from a restricted container via crafted HTTP requests.
CVE-2026-20216 (CVSS 7.5) - Improper handling of temporary resources in the ClamAV InstallShield file format parser allows an unauthenticated attacker to terminate the ClamAV scanning process and temporarily exhaust system resources.
CVE-2026-20213 (CVSS 7.5) - Improper boundary checks in the ClamAV PE file format parser may result in an out-of-bounds buffer write, causing process termination or expanded impact from memory corruption.
CVE-2026-20214 (CVSS 7.5) - Improper boundary checks in the ClamAV FSG file format parser may result in an out-of-bounds buffer write when scanning FSG-compressed portable executable content.
CVE-2026-20215 (CVSS 7.5) - Improper boundary checks in the ClamAV 7z file format parser may result in an out-of-bounds buffer write, terminating the scanning process.
CVE-2026-20217 (CVSS 7.5) - Improper boundary checks in the ClamAV PESpin file format parser may result in an out-of-bounds buffer write.
CVE-2026-20243 (CVSS 7.5) - Improper boundary checks in the ClamAV ALZ file format parser may result in an out-of-bounds buffer write.
CVE-2026-20244 (CVSS 7.5) - Improper boundary checks in the ClamAV DMG file format parser may result in an integer overflow on 32-bit platforms, terminating the scanning process.
For CVE-2026-20191, an attacker sends a crafted HTTP request to an exposed Catalyst Center interface to extract arbitrary files. For all ClamAV vulnerabilities, an attacker submits a crafted file of the relevant format to be scanned, triggering the parser flaw and causing process termination or memory corruption.
Exploitation of CVE-2026-20191 could expose sensitive configuration data or credentials stored on the Catalyst Center appliance. ClamAV DoS vulnerabilities could disable endpoint scanning capabilities across Secure Endpoint deployments, reducing detection coverage during the outage window.
Risk is rated High for all organisation sizes across both government and commercial sectors. Cisco Catalyst Center is widely deployed in enterprise SD-WAN environments. ClamAV is embedded across multiple Cisco Secure Endpoint products, meaning a single unpatched deployment across a large estate multiplies exposure significantly.
Cisco has confirmed no workarounds are available. Upgrade to the following fixed releases as soon as operationally feasible:
Catalyst Center (Hardware and Virtual - AWS/Azure): Release 3.1 requires 3.1.6 GSMU200. Releases earlier than 3.1 are not vulnerable.
Catalyst Center (VMware ESXi): Release 2.3.7 requires 2.3.7.11-VA GSMU100. Release 3.1 requires 3.1.6 GSMU200.
ClamAV - Secure Endpoint Connector for Linux: Upgrade to 1.29.0 (CSCwt81503).
ClamAV - Secure Endpoint Connector for Mac: Upgrade to 1.27.2 (CSCwt81504).
ClamAV - Secure Endpoint Connector for Windows: Upgrade to 8.6.2 (CSCwt81501).
ClamAV - Secure Endpoint Private Cloud: Upgrade to 4.2.8 or later (CSCwu55927).
Implement the Principle of Least Privilege across all SD-WAN administrative accounts. Monitor authentication and system logs for signs of unauthorised privilege escalation, unexpected configuration changes, or suspicious administrative activity. Forward logs to a centralised SIEM for correlation. Use vulnerability management tooling to verify remediation status across all affected systems and detect potential exploitation attempts.
Cisco Security Advisory: cisco-sa-catc-file-read-wLH2vf8X. Cisco Security Advisory: cisco-sa-clamav-88cFYyxR. CVEs: CVE-2026-20191, CVE-2026-20216, CVE-2026-20213, CVE-2026-20214, CVE-2026-20215, CVE-2026-20217, CVE-2026-20243, CVE-2026-20244.
Trusted by clients worldwide






Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.




