Opswat also discovered two other Catalyst 9300 vulnerabilities: CVE-2026-20112 (cross-site scripting) and CVE-2026-20113 (CRLF injection). These relate to the IOS XE IOx integration environment which enables cloud edge computing features on Catalyst switches.
The first of these, CVE-2026-20112, could be exploited by an “authenticated user [who] could store malicious JavaScript payloads that would later execute in the context of another user’s session,” said Opswat in its full vulnerability analysis.
The second, CVE-2026-20113, would allow an attacker to cover their tracks for any exploit on IOS XE IOx: “By injecting crafted control characters, an attacker can forge or manipulate log entries, potentially obscuring malicious activity and compromising the integrity of audit records,” said Opswat, adding that this weakens the reliability of logging mechanisms critical for monitoring, incident response, and forensic analysis.
Patching priority
To make headway, an attacker would need to chain the first two vulnerabilities, CVE-2026-20114 and CVE-2026-20110, the first of which would require authentication using stolen credentials.
This slightly raises the bar to any compromise, although stealing credentials for low-privilege user accounts is not a major barrier for an attacker.
However, the fact that an attacker can elevate privileges from a basic Lobby Ambassador account to put a switch into a denial-of-service state underlines the risk this vulnerability poses. A short-term mitigation for this would be to make sure MFA security is turned on for all user accounts accessing the Lobby Ambassador feature.
