Cisco has had one of those weeks that makes people roll their eyes and ask the same question all over again:
How is Cisco still shipping this many serious security issues?
That question is a little unfair, but only a little.
From the outside, Cisco’s problem does not look like a simple case of “big company, lots of products, bugs happen.” That is part of the story, sure. Cisco is enormous. It has routers, switches, firewalls, controllers, dashboards, licensing platforms, data center tools, cloud-connected services, and years of legacy enterprise software spread across a huge customer base. A company with that much surface area is always going to have a steady stream of vulnerabilities. Cisco’s own public advisory flow makes that obvious enough. But scale only explains the volume. It does not explain the pattern.
And the pattern is the part that should make customers uncomfortable.
The problem is not just the count. It is where the bugs keep landing.
If the recent batch had mostly been edge-case denial-of-service issues in obscure features, nobody would be writing much about it. That is normal vendor life. What stands out here is that too many of the more worrying flaws are landing in products tied to administration, orchestration, management, visibility, or privileged control.
Just look at the list Cisco published around April 1 and April 2:
- Cisco Smart Software Manager On-Prem Arbitrary Command Execution Vulnerability CVE-2026-20160 Critical
- Cisco Integrated Management Controller Authentication Bypass Vulnerability CVE-2026-20093 Critical
- Cisco Evolved Programmable Network Manager Improper Authorization Vulnerability CVE-2026-20155 High
- Cisco Smart Software Manager On-Prem Privilege Escalation Vulnerability CVE-2026-20151 High
- Cisco Integrated Management Controller Command Injection and Remote Code Execution Vulnerabilities CVE-2026-20094, CVE-2026-20095 and related issues High
- Cisco Nexus Dashboard Insights Arbitrary File Write Vulnerability CVE-2026-20174 Medium
- Cisco Nexus Dashboard and Nexus Dashboard Insights Server-Side Request Forgery Vulnerability CVE-2026-20041 Medium
- Cisco Nexus Dashboard Configuration Backup REST API Unauthorized Access Vulnerability CVE-2026-20042 Medium
- Cisco Integrated Management Controller Cross-Site Scripting Vulnerabilities CVE-2026-20085, CVE-2026-20087 and others Medium
- Cisco IOS XE Software Denial of Service Vulnerability CVE-2026-20110 Medium
If you are a customer reading that list, it does not feel random. It feels concentrated in exactly the places where trust is supposed to be strongest.
That is the real issue.
From the outside, this looks like a management-plane problem
This is the simplest way to say it.
Cisco’s vulnerability problem does not just look like a software-quality problem. It looks like a management-plane security problem.
Products like Integrated Management Controller, Smart Software Manager On-Prem, Nexus Dashboard, and network management platforms are not just “another app.” They are the systems administrators use to control infrastructure, push changes, manage credentials and services, monitor environments, and interact with highly trusted parts of the network.
So when those systems get hit with bugs like:
- authentication bypass
- improper authorization
- privilege escalation
- command injection
- arbitrary command execution
- unauthorized API access
- arbitrary file write
- remote code execution
that lands differently than a generic product bug.
A flaw in the management layer is not just a flaw. It can be a shortcut into the rest of the environment.
That is why Cisco’s recent list makes people uneasy. It is not just “wow, another vendor advisory.” It is “why are so many of the bad ones sitting near the control layer again?”
Cisco being huge explains some of this, but not all of it
To be fair, big vendors do have more vulnerabilities. That is just reality.
Microsoft has Patch Tuesday every month because Windows, Office, Azure, Edge, identity systems, and enterprise services are massive. Microsoft’s March 2026 Security Update Guide release notes show the usual steady flow of fixes across a very broad estate. Google is constantly patching Chrome and Android, and on March 31 it pushed Chrome 146.0.7680.177/178 with 21 security fixes, including a vulnerability under active exploitation. Apple does the same across iOS, macOS, Safari, and other platforms, and in late March and early April it even expanded iOS 18.7.7 availability to more devices to push DarkSword protections more widely.
So yes, every giant vendor has a lot of security bugs.
Microsoft has a lot of vulnerabilities because it has an enormous enterprise and consumer footprint. Google has a lot of vulnerabilities because browsers, mobile platforms, and cloud software are brutal to secure perfectly. Apple has a lot of vulnerabilities because tightly integrated ecosystems still have huge attack surfaces. Cisco is not special in the sense that it alone has CVEs.
But Cisco does seem to have a particularly bad habit of producing serious flaws in the software that manages everything else.
That is the difference.
Why that matters more than raw numbers
Raw CVE counts are a terrible way to judge risk.
A vendor can patch 100 low-impact bugs and look noisy, while another ships three terrible bugs in a core management platform and creates far more operational risk.
What matters is where the flaws are, what they let an attacker do, and how much trust is wrapped around the affected system.
That is why this Cisco batch feels worse than a normal patch cycle.
Take a critical auth bypass in Integrated Management Controller. That is not just a bug. That is a trust failure in a system that sits close to hardware administration and privileged control. A critical arbitrary command execution bug in Smart Software Manager On-Prem is not just another web issue either. Cisco says that flaw came from unintentional exposure of an internal service, which is exactly the sort of sentence defenders hate reading in a management product.
Even the medium-severity items are not especially comforting when they show up in dashboards and admin tooling. SSRF, file write, unauthorized backup API access, and XSS are the kind of issues that can become stepping stones in a real environment, especially if the platform is overtrusted or poorly segmented.
So the concern here is not just “Cisco had a lot of advisories this week.”
It is that too many of them touch systems that should have been among the hardest to break in the first place.
What might be going wrong
From the outside, there are a few likely explanations.
One is old architectural baggage. Big infrastructure vendors accumulate weird assumptions over time. Internal services that were never meant to be reachable end up exposed. Components trust each other too much. Admin workflows get bolted on over older code. Compatibility requirements outlive the design choices that created them.
Another is product sprawl. Cisco has a giant portfolio, and consistency across that many teams, codebases, and inherited products is hard. Even if the company has a solid PSIRT process and a formal secure development story, reality is messy when products evolve for years across different groups.
Another is that management software is just dangerous software. It has to talk to everything, authenticate everyone, expose APIs, accept configuration changes, and often run with broad privileges. That makes it one of the worst places to get lazy input handling, brittle auth logic, weak internal service boundaries, or overtrusted APIs.
And then there is the obvious one: Cisco is a premium target. Researchers look closely at it because it is deployed everywhere. Attackers look closely at it because a successful exploit often lands inside environments that matter.
None of that excuses the pattern. It just helps explain why it keeps surfacing.
This is why “all vendors have vulnerabilities” is not enough anymore
Customers are not wrong to expect more here.
Cisco is not some startup shipping a dashboard for a few hundred customers. Cisco gear sits in hospitals, governments, telecom providers, banks, universities, manufacturers, and data centers. A lot of its products live very close to the heart of enterprise operations.
When that is your role in the market, the bar is higher.
So no, “every vendor has bugs” is not a satisfying answer.
That line may explain why Cisco has plenty of advisories. It does not explain why customers keep seeing serious flaws tied to high-trust systems, high-privilege systems, and management systems.
That is the part that damages confidence.
The practical takeaway for defenders
If you run Cisco, the question is not “why does Cisco have so many CVEs?”
That is interesting for blog posts, but not that useful on Monday morning.
The more useful question is:
Which Cisco products in our environment are part of the management plane, and how exposed are they right now?
That means looking first at things like:
- Integrated Management Controller
- Smart Software Manager On-Prem
- Nexus Dashboard and Nexus Dashboard Insights
- network management platforms
- backup and orchestration APIs
- any internet-facing Cisco web admin interface
- any Cisco platform with broad control over infrastructure
Those are the places where a bad bug hurts more.
Patch triage should follow blast radius, not brand familiarity. A boring admin appliance can be more dangerous than a flashy edge device if compromise gives an attacker privileged control or deep visibility.
The bottom line
From the outside, Cisco’s problem does not look like “too many bugs because software is hard.”
It looks more like this:
too many important bugs in the systems that are supposed to securely manage everything else.
That is why people keep reacting strongly to Cisco advisories. It is not just the number. It is the pattern. When serious weaknesses keep showing up in management and control software, customers are right to get nervous.
Big vendors like Microsoft, Google, and Apple all have plenty of vulnerabilities too. That part is normal. What customers have a harder time accepting is a steady stream of flaws in the trust layer itself.
And that is where Cisco keeps making people uncomfortable.