Cisco carries two critical CVEs this week: CVE-2023-20198, the IOS XE Web UI privilege escalation used in the SharkLoader espionage campaign, and CVE-2026-20230, an unauthenticated SSRF in Unified Communications Manager added to CISA KEV with a 48-hour federal remediation deadline. Both represent unauthenticated or pre-authentication attack paths against internet-facing Cisco infrastructure, and both carry real active exploitation evidence.