Home / Threat Intelligence bulletins / Cisco Small Business Series switches buffer overflow vulnerabilities 

Target Industry

Indiscriminate, opportunistic targeting.


Four security vulnerabilities discovered in Cisco’s Small Business Switches have been fixed with security patches. The Common Vulnerability Scoring System (CVSSv3) score for the vulnerabilities is 9.8/10.

The flaws tracked as CVE-2023-20159 (CVSSv3 base scores of 9.8/10 – Critical), CVE-2023-20160 (CVSSv3 base scores of 9.8/10 – Critical), CVE-2023-20161 (CVSSv3 base scores of 9.8/10 – Critical) and CVE-2023-20189 (CVSSv3 base scores of 9.8/10 – Critical) relate to web-based Cisco Small Business Series Switches that could provide an unauthenticated, remote threat actor with the ability to implement a denial of service (DoS) condition or execute arbitrary code with root access on impacted devices.

There have not been any reports of the vulnerability being actively exploited as of the time of writing. However, this could change at any time.


If CVE-2023-20159, CVE-2023-20160, CVE-2023-20161 or CVE-2023-20189 are successfully exploited a remote, unauthenticated threat may be able to cause a DoS attack or execute arbitrary code with root capabilities on vulnerable devices.

Affected Products

  • 250 Series Smart Switches
  • 350 Series Managed Switches
  • 350X Series Stackable Managed Switches
  • 550X Series Stackable Managed Switches
  • Business 250 Series Smart Switches
  • Business 350 Series Managed Switches
  • Small Business 200 Series Smart Switches
  • Small Business 300 Series Managed Switches
  • Small Business 500 Series Stackable Managed Switches

Containment, Mitigations & Remediations

Cisco has made software patches available that fix these vulnerabilities. Users of the affected product(s) are strongly advised to update to the most recent version (v2.5.9.16). As these switches have already started the end-of-life process, Cisco states that the 200, 300, and 500 Series Small Business Switches firmware will not be patched.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

A large section of the market for enterprise network infrastructure is controlled by Cisco. Their products have become a high target because threat actors often combine likelihood and asset value to decide which attack surfaces to concentrate on. Threat actors will continue with their attempts to exploit flaws in related products to obtain the sensitive data they hold.

Threat Group

Forrest Blizzard (also known as APT28) has been developing custom “Jaguar Tooth” malware on Cisco IOS routers to achieve unauthenticated access to compromised systems, according to a recent joint advisory from the US, UK, and Cisco.

Mitre Methodologies


TA0002 – Execution

Further Information

CVE – CVE-2023-20159 (mitre.org) 

Cisco warns of critical switch bugs with public exploit code (bleepingcomputer.com) 

Cisco Small Business Series Switches Buffer Overflow Vulnerabilities


Intelligence Terminology Yardstick