Cisco’s Twice-Monthly Patch Cadence Starts With Catalyst Center and ClamAV Fixes

Cisco’s first July security-advisory drop under its new twice-monthly cadence includes a Catalyst Center arbitrary-file-read flaw and seven ClamAV vulnerabilities affecting Cisco Secure Endpoint. The change gives network and security teams more predictability, but it also means Cisco infrastructure patch planning needs to become a standing operating rhythm, not a quarterly scramble.
Server racks in a data center used for enterprise networking and security systems
Photo by Kevin Ache on Unsplash

Cisco’s new twice-monthly security-advisory rhythm has moved from plan to practice. On July 1, the company published its first scheduled July batch, covering a high-severity Cisco Catalyst Center arbitrary file read vulnerability and a separate set of ClamAV vulnerabilities affecting Cisco products.

The advisories themselves are not the only story. Cisco is changing how customers should expect infrastructure security work to arrive. Beginning in July, the company is reserving the first and third Wednesday of each month for security-hardened software publications, with seven days of advance notice about which technologies will be covered when a release is planned. For network and security teams, that turns Cisco patching into a standing operational cadence rather than an occasional emergency project.

What Cisco published on July 1

The more direct network-management issue is CVE-2026-20191, a high-severity vulnerability in Cisco Catalyst Center. Cisco says an unauthenticated remote attacker could send a crafted HTTP request and read arbitrary files from a restricted container on an affected device. The flaw carries a CVSS base score of 7.5 and affects Cisco Catalyst Center hardware appliances as well as virtual appliances, regardless of configuration.

Cisco lists no workaround for the Catalyst Center issue. The fixed releases are 3.1.6 GSMU200 for Catalyst Center 3.1 on hardware, AWS, Azure, and VMware ESXi deployments, plus 2.3.7.11-VA GSMU100 for VMware ESXi deployments running 2.3.7. Cisco said its Product Security Incident Response Team was not aware of public announcements or malicious use of the vulnerability when the advisory was published.

The second July 1 advisory covers seven ClamAV vulnerabilities: CVE-2026-20213, CVE-2026-20214, CVE-2026-20215, CVE-2026-20216, CVE-2026-20217, CVE-2026-20243, and CVE-2026-20244. Cisco’s advisory says the flaws could let a remote attacker cause denial-of-service conditions that interrupt scanning operations. The affected Cisco products are Secure Endpoint Connector for Linux, Mac, and Windows; Cisco Secure Endpoint Private Cloud itself is not affected, although connector software distributed from it is.

The Windows connector is the highest-priority branch in that advisory because Cisco says the ClamAV scanning process runs in a privileged security context on Windows. The company rates the impact as high for Windows and medium for Linux and Mac. Fixed versions are Secure Endpoint Connector for Windows 8.6.2, Linux 1.29.0, and Mac 1.27.2, with connector updates available through Cisco Secure Endpoint update channels.

Why the cadence changed

Cisco announced the disclosure change in June, framing it as a response to AI-accelerated vulnerability discovery. In a Cisco security blog post, the company described frontier models and agentic analysis harnesses as tools that can surface bugs across large code bases faster than traditional advisory and patch processes were built to handle.

The important operational detail is predictability. Cisco says PSIRT will provide advance notice seven days before each planned release, naming the product families expected in that drop. If no release is planned, there is no notice. Cisco also says core network operating system products, including IOS XE, IOS XR, NX-OS, Firepower/ASA, and SD-WAN, are being scheduled first and are expected to follow a quarterly pattern, with Cisco avoiding multiple core network operating system releases on the same day.

That does not remove the need for urgent response when a severe or exploited vulnerability appears. It does, however, give infrastructure teams a calendar around which they can pre-stage lab validation, maintenance approvals, change windows, and rollback planning. The July 1 publication is a relatively contained first example: one Catalyst Center flaw, one ClamAV bundle, no workarounds, and no Cisco-reported exploitation at publication time.

The bigger shift is from CVE triage to release discipline

Cisco is also signaling a change in how customers should think about grouped fixes. Its June explanation says some security-hardened releases will use bundled CVEs tied to weakness categories rather than one CVE per individual bug when pervasive fixes are involved. That is a meaningful shift for organizations whose vulnerability-management programs still revolve around scoring, exception-handling, and tracking individual CVE tickets one by one.

For Cisco infrastructure, the cleaner question may increasingly be whether a product is on a security-hardened release train, whether the organization has tested the current fixed branch, and whether unsupported or rarely updated devices are creating an expanding exposure gap. The company’s message is that older infrastructure releases become riskier as AI-assisted discovery and exploit development speed up.

That framing matters because network appliances, endpoint connectors, controllers, and management systems do not patch like ordinary applications. They sit in change-controlled environments, carry uptime expectations, and often require coordination across networking, security, identity, help desk, and business operations. A twice-monthly advisory calendar only helps if teams use it to build a repeatable workflow before the next high-pressure advisory lands.

Where Live Protect fits

Cisco is pairing the cadence change with Cisco Live Protect, a runtime protection capability that uses eBPF-based controls on supported infrastructure. Cisco describes it as a temporary shield, not a patch replacement. The idea is to apply Cisco-validated compensating controls to running systems while teams prepare a permanent software update.

Live Protect is currently described by Cisco as shipping on data center N9000 switches, with plans to expand across campus and branch Smart Switches, Catalyst wireless controllers, Secure Routers, SD-WAN Manager, and other infrastructure platforms over time. The control modes Cisco describes are straightforward: monitor mode logs policy hits, enforce mode blocks or mitigates activity, and disable mode turns off a policy without uninstalling it.

For customers, the key distinction is that a compensating control can narrow exposure, but it should not become a permanent substitute for lifecycle management. Live Protect can help during the gap between disclosure and maintenance, especially for high-availability network gear. It does not eliminate the need to move to fixed software, confirm hardware and memory support, or retire devices that can no longer stay on supported branches.

What teams should check now

Start with inventory. Teams using Cisco Catalyst Center should identify hardware appliances and virtual deployments, confirm current versions, and compare them against the fixed-release tables in the July 1 advisory. Because CVE-2026-20191 has no workaround, exposed management paths and segmentation should be reviewed while upgrade timing is being scheduled.

Secure Endpoint customers should check connector versions by platform, with particular attention to Windows fleets running Cisco Secure Endpoint Connector. If connector updates are automatic, verify that policy settings actually allow the fixed versions to deploy. If private cloud connector repositories are used, confirm that clients are receiving the updated connector packages through normal content-update processes.

Then build the new Cisco advisory rhythm into operations. Assign ownership for the first- and third-Wednesday release windows, subscribe to Cisco security notifications, reserve recurring triage time, and decide in advance which environments require lab validation before production rollout. For large networks, the calendar should also include an exception path for products that cannot move quickly because of hardware limits, regulatory constraints, or business-critical uptime requirements.

The July 1 advisories do not appear to be an exploitation emergency. They are still a clear warning about the way enterprise infrastructure patching is changing. The old model of waiting for a quarterly network-maintenance window is becoming harder to defend when vendors are moving to more frequent disclosure, adversaries are automating faster, and AI-assisted research is finding more flaws across the systems that keep networks running.

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post
United Launch Alliance Atlas V rocket launching Amazon Leo satellites from Cape Canaveral

Amazon Leo Has Enough Satellites to Start Its Starlink Test

Next Post
Laptop screen showing code at a developer workstation

Alibaba’s Claude Code Ban Turns AI Coding Tools Into a Vendor-Risk Test

Related Posts
Server racks in a data center used for enterprise networking and security systems

FortiSandbox Exploits Put Fortinet Appliances on a Patch Clock

Attackers are probing three critical FortiSandbox vulnerabilities that can expose Fortinet malware-analysis appliances to authentication bypass and command execution. Security teams should verify FortiSandbox 4.4 and 5.0 patch levels, check whether management interfaces are reachable, and review logs for exploit attempts rather than treating the April and June fixes as routine maintenance.
Read More