How to patch Cisco IOS & IOS XE

Q: How do I check which version of Cisco IOS I am running?

Use: show version (Device CLI). Record the result before and after patching to confirm the update applied.

Cisco · Network / Security · 6 steps · Cisco IOS security status → · updated June 2026

Cisco devices are patched by loading a fixed software image and reloading (classic IOS) or using install mode (IOS XE). Use the Cisco Software Checker to find the fixed release for the advisory affecting you.

actively exploited (KEV)

615

tracked CVEs

—

latest supported

Cisco IOS has 38 actively-exploited vulnerabilities on the CISA KEV list — patching is urgent.

Check your current version first

Before you patch, record what you're running (Device CLI):

show version

Or paste your version into the checker for an instant verdict.

Step by step

Identify platform, image and version

Run show version and show flash: to record the model, current image and release train.

Find the fixed release

Use the Cisco Software Checker (or the advisory) to find the first fixed release in your train. A valid service contract is needed to download.

Stage the image

Confirm enough flash/bootflash space, copy the image to the device (copy tftp: flash: / copy ftp:), and verify its checksum (verify /md5 or /sha512).

Set boot variable and reload (classic IOS)

Set boot system flash:<image>, save with write memory, then reload during a maintenance window.

Or use install mode (IOS XE)

On IOS XE: install add file ... activate commit performs the upgrade with a single reload and is the recommended method.

Verify after reboot

After it comes back, run show version to confirm the new release and that it booted the intended image.

Watch out for:

Have console access and a rollback image — a bad boot variable can leave the device in ROMMON.
Check feature/licensing and memory requirements for the target release first.

Official sources

Advisory: Cisco Security Advisories + Software Checker ↗
Download: Cisco Software Download ↗

Don't patch blind. Cisco IOS has 38 actively-exploited vulnerabilities on the CISA KEV list — patching is urgent. See exactly which versions are safe and what you're exposed to.

Cisco IOS security status →

Stay ahead of the next one

Cisco IOS security status & health score — score, open CVEs and safe version.
Cisco IOS vulnerabilities — the full CVE list and what's exploited.
Monitor Cisco IOS — get an email alert the moment a new exploited vulnerability lands.

Frequently asked questions

What is the latest version of Cisco IOS?

Check the current supported Cisco IOS release on its product page or the official vendor advisory, then patch to it.

How do I check which version of Cisco IOS I am running?

Use: show version (Device CLI). Record the result before and after patching to confirm the update applied.

Is Cisco IOS being actively exploited right now?

Yes — 38 Cisco IOS vulnerabilities are on the CISA Known Exploited Vulnerabilities (KEV) list, so attackers are using them in the wild. Patch promptly. See the exploitation radar.

How do I patch Cisco IOS safely without breaking production?

Always test in a non-production environment first, take a backup or snapshot, follow the official vendor advisory, and have a tested rollback. Patch one node at a time for clustered or high-availability setups.

Patch steps are general, well-established guidance for Cisco IOS — always test in a non-production environment first and follow the official Cisco advisory for your exact version. IsItPatched is independent and not affiliated with Cisco; this is not a substitute for vendor documentation. See our disclaimer.

← All patching guides · Security guides →