Cisco IOS XE ↗
Cisco · Network / Security
20/100 Critical · exploited
Summary iPlain-English security verdict for Cisco IOS XE, generated from its current health score, actively-exploited vulnerabilities, and latest supported version.
Cisco IOS XE currently scores 20/100 — critical, with active exploitation. 28 of its known vulnerabilities are being actively exploited in the wild (CISA KEV), including CVE-2023-44487. Upgrade immediately and review your exposure to the actively-exploited CVEs below. Note: this product is assessed at the product level on recent (365-day) activity rather than an exact per-version match, so it is never marked a confident "healthy".
Disclosure trend iNew CVEs published for Cisco IOS XE each year (NVD). A higher bar means more disclosures that year — more scrutiny, not necessarily less safe.
'19
'20
'21
'22
'23
'24
'25
'26
Patch priority — what to act on iThe issues to fix first — actively exploited (CISA KEV) first, then by exploitation probability (EPSS), then severity. Each row's "→ fixed in" is the earliest version that patches it; "see advisory" means no fixed version is published.
Most urgent first — actively exploited, then likeliest to be exploited.
CVE-2023-44487 HIGH ● exploited Uncontrolled resource consumption EPSS 94% → fixed in 17.15.1 CVE-2017-3881 CRITICAL ● exploited Improper input validation EPSS 94% → see advisory CVE-2023-20198 CRITICAL ● exploited CWE-420 EPSS 94% → fixed in 17.9.4a CVE-2016-6415 HIGH ● exploited Information disclosure EPSS 93% → see advisory CVE-2023-20273 HIGH ● exploited OS command injection EPSS 93% → fixed in 17.9.4a CVE-2017-6736 HIGH ● exploited Memory corruption EPSS 88% → see advisory CVE-2017-6737 HIGH ● exploited Memory corruption EPSS 20% → see advisory CVE-2017-6738 HIGH ● exploited Memory corruption EPSS 20% → see advisory CVE-2017-6739 HIGH ● exploited Memory corruption EPSS 20% → see advisory CVE-2017-6743 HIGH ● exploited Memory corruption EPSS 20% → see advisory CVE-2017-6740 HIGH ● exploited Memory corruption EPSS 16% → see advisory CVE-2018-0156 HIGH ● exploited CWE-399 EPSS 16% → see advisoryVersions & lifecycle iWhen each release line stops receiving security patches (end-of-life). After EOL there are no more fixes — plan upgrades before these dates.
How long each Cisco IOS XE release line is supported — and when it sunsets.
17.18 latest — Supported until 2029-08-08
17.17 latest — End of life ended 2026-03-31
17.16 latest — End of life ended 2025-12-11
17.15 latest — Supported until 2028-08-09
17.14 latest — End of life ended 2025-04-13
17.13 latest — End of life ended 2024-11-30
17.12 latest — Supported until 2027-07-28
17.11 latest — End of life ended 2024-03-28
17.10 latest — End of life ended 2023-11-30
17.9 latest — Supported until 2026-07-29
See all upcoming end-of-life dates → ℹ product-level posture (last 365d); exact per-version verdict pending precise version mapping