Chained Vulnerabilities in Cisco Catalyst Switches Could Induce Denial-of-Service

Cisco’s Catalyst 9300 series is a backbone component for many enterprise networks, prized for its scalability and integrated security features. The recent discovery of four distinct CVEs—two of which can be combined—highlights how even well‑engineered hardware can harbor exploitable gaps. The first vulnerability compromises the WebUI Lobby Ambassador account, a role intended for non‑technical staff, while the second leverages insufficient input sanitization to push the device into maintenance mode, halting traffic flow.

From a technical standpoint, the attack chain is straightforward: an adversary obtains credentials for the low‑privilege Lobby Ambassador account, injects a command to create a MAC‑based account with modest rights, then exploits the sanitization flaw to elevate privileges and trigger the ‘start maintenance’ command. This sequence bypasses traditional perimeter defenses, making multi‑factor authentication (MFA) on the Lobby Ambassador feature a critical short‑term safeguard. Cisco’s advisory also recommends manually lowering the privilege level required to initiate maintenance mode, providing an immediate mitigation while patches are applied.

The broader industry impact underscores the challenges of semi‑annual patch cycles for high‑volume networking gear. Cisco’s March 2026 advisory arrived later than the typical September window, leaving a window of exposure for months. Enterprises should proactively use Cisco’s Software Checker to verify firmware versions, prioritize the March patches, and adopt continuous vulnerability‑management practices. The episode serves as a reminder that layered defenses—strong credential hygiene, MFA, and timely patching—remain essential to protect the resilience of modern network infrastructures.