CVE-2026-20185: Cisco SG350/SG350X SNMP DoS Vulnerability
The National Vulnerability Database has detailed CVE-2026-20185, a critical denial-of-service vulnerability affecting Cisco 350 Series (SG350) and 350X Series (SG350X) managed switches. This flaw resides in the SNMP subsystem and can be triggered by an authenticated attacker sending a malformed SNMP request. Improper error handling allows the attacker to force a device reload, disrupting network operations.
This vulnerability impacts SNMP versions 1, 2c, and 3. Exploitation requires either valid SNMP read-write or read-only community strings for older versions, or valid user credentials for SNMPv3. The CVSS score of 7.7 highlights the significant risk, particularly in environments where SNMP is broadly enabled and secured with weak credentials. Defenders must prioritize patching or mitigating SNMP access to these devices.
For organizations using these Cisco switch models, the immediate action is to review SNMP configurations and apply available firmware updates. If patching is not feasible, consider disabling SNMP or restricting access to trusted management networks. This vulnerability presents a clear avenue for disruption, making it a prime target for attackers aiming to cripple network infrastructure.
What This Means For You
- If your organization utilizes Cisco SG350 or SG350X managed switches, verify if SNMP is enabled. If it is, immediately assess the firmware version and plan for patching to address CVE-2026-20185. If immediate patching is impossible, restrict SNMP access to only trusted internal IPs or consider disabling it entirely.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-20185: Cisco SG350/SG350X SNMP DoS Attempt
title: CVE-2026-20185: Cisco SG350/SG350X SNMP DoS Attempt
id: scw-2026-05-06-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-20185 by targeting the SNMP service (UDP port 161) on Cisco SG350/SG350X switches. This vulnerability allows an authenticated, remote attacker to cause a denial of service by sending a specific SNMP request, leading to an unexpected device reload.
author: SCW Feed Engine (AI-generated)
date: 2026-05-06
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-20185/
tags:
- attack.impact
- attack.t1499
logsource:
category: firewall
detection:
selection:
dst_port:
- 161
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-20185 | DoS | Cisco 350 Series Managed Switches (SG350) firmware |
| CVE-2026-20185 | DoS | Cisco 350X Series Stackable Managed Switches (SG350X) firmware |
| CVE-2026-20185 | DoS | SNMP subsystem - improper error handling when parsing response data for a specific SNMP request |
| CVE-2026-20185 | DoS | SNMP versions 1, 2c, and 3 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 06, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
NanoClaw Container Vulnerability Allows Arbitrary File Access, Recursive Deletion
CVE-2026-7875 — NanoClaw contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read...
CVE-2026-42503: gopls Vulnerability Exposes Dev Environments to RCE
CVE-2026-42503 — gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value...
CVE-2026-23870: High-Severity DoS Flaw in React Server Components
CVE-2026-23870 — A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server...