Cisco has disclosed a high-severity vulnerability in its Catalyst Center platform that could allow unauthenticated remote attackers to read arbitrary files from affected systems.
The issue, tracked as CVE-2026-20191, has a CVSS score of 7.5 and is classified under CWE-22, indicating a path-traversal weakness caused by improper input validation.
According to the Cisco Security Advisory (cisco-sa-catc-file-read-wLH2vf8X), the flaw stems from insufficient validation of user-supplied input in the Catalyst Center interface.
An attacker can exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable instance. If successful, the attacker can access sensitive files stored within a restricted container environment on the affected device.
Cisco Catalyst Center Vulnerability
Cisco Catalyst Center, previously known as Cisco DNA Center, is widely used for centralized network management, automation, and policy enforcement across enterprise environments.
The vulnerability affects both hardware appliances and virtual deployments, including those running on AWS, Microsoft Azure, VMware ESXi platforms, regardless of configuration.
Although the vulnerability does not allow data modification or service disruption, the ability to read arbitrary files poses a significant confidentiality risk.
Attackers may be able to retrieve sensitive configuration files, credentials, or system data, which could be leveraged in further attacks or lateral movement within enterprise networks.
Cisco has confirmed that there are currently no available workarounds to mitigate this issue. As a result, organizations using affected versions are strongly advised to apply the provided software updates immediately.
The flaw is fixed in Catalyst Center 3.1.6 GSMU200 and VMware ESXi 2.3.7.11-VA GSMU100 (for 2.3.7) and 3.1.6 GSMU200 (for 3.1), while versions earlier than 3.1 are not affected.
The Cisco Product Security Incident Response Team (PSIRT) stated that there is currently no evidence of active exploitation in the wild, and no public proof-of-concept or attack campaigns have been reported at the time of disclosure.
The vulnerability was identified internally during the investigation of a Cisco Technical Assistance Center support case.
Despite the lack of observed exploitation, security experts warn that unauthenticated attack vectors, combined with simple HTTP request crafting, significantly lower the barrier to exploitation.
Organizations exposed to the internet or with improperly segmented management interfaces are particularly at risk.
Users are recommended to prioritize patching, restrict external access to Catalyst Center interfaces, and monitor logs for suspicious HTTP requests targeting file access paths. Regular security audits and network segmentation can further reduce the risk of unauthorized access.