A pair of critical vulnerabilities in Cisco server and license-management technologies, CVE-2026-20093 and CVE-2026-20160. These flaws allow attackers to bypass authentication or execute commands at the highest privilege level. Both flaws have been assigned a CVSS score of 9.8. Exploitation could result in full administrative control of the affected system and compromise of sensitive infrastructure management functions.
Background on the Affected Technology
Cisco Integrated Management Controller (IMC)
Cisco IMC is an out-of-band management interface embedded in Cisco UCS servers and other appliances. It is used for remote platform management, including power control, BIOS configuration, and hardware health monitoring. IMC runs independently of the host operating system and has full control over the underlying hardware.
Because of its privileged position, vulnerabilities in IMC can provide attackers with complete access to server systems and the ability to manipulate hardware controls.
Cisco Smart Software Manager On-Prem (SSM On-Prem)
Cisco Smart Software Manager On-Prem provides license management and entitlement tracking for Cisco products. It includes a command-line interface (CLI) and backend services that interact with licensing data and APIs.
Although intended as an internal administrative component, certain services are exposed in ways that affect command execution security.
Vulnerability Details
CVE-2026-20093
CVSS Score: 9.8 (Critical)
Vulnerability Type: Authentication Bypass
Affected Product: Cisco Integrated Management Controller (IMC)
CVE-2026-20093 exists due to improper handling of password change requests in IMC . An unauthenticated remote attacker can send a specially crafted HTTP request to bypass authentication controls entirely.
Discovered by: Security researcher “jyh.”
CVE-2026-20160
CVSS Score: 9.8 (Critical)
Vulnerability Type: Command Injection
Affected Product: Cisco Smart Software Manager On-Prem (SSM On-Prem)
CVE-2026-20160 stems from the unintended exposure of an internal service. By sending a specially crafted request to the API of this exposed service, an attacker can trigger command execution. A successful exploit would allow the attacker to run operating system commands with root-level privileges, potentially resulting in full system compromise.
This vulnerability was identified internally while Cisco was addressing a Technical Assistance Center (TAC) support case.
Tactics and Techniques
Attackers may leverage these flaws using tactics aligned with MITRE ATT&CK:
- TA0001 – Initial Access – Exploit Public-Facing Application(T1190)
Targeting the exposed IMC web interface. - TA0005 – Defense Evasion – Bypass Authentication(T1556)
Bypassing IMC login controls via crafted requests. - TA0004 – Privilege Escalation – Exploitation for Privilege Escalation(T1068)
Using command injection to gain root command execution. - TA0003 – Persistence – Create or Modify Accounts(T1136)
Potential Impact
If exploited, these vulnerabilities may lead to:
- Full Administrative Access: Unauthorized control of the IMC interface (CVE-2026-20093)
- Root Execution: Arbitrary OS command execution with complete privileges (CVE-2026-20160)
- Configuration Tampering: Hardware and system configuration manipulation
- Persistence: Altered administrative accounts.
Mitigation Steps
CVE-2026-20093 affects the below mentioned products and Cisco urges to apply patches immediately.
Note: To address this issue on Cisco 5000 Series ENCS and Cisco Catalyst 8300 Series Edge uCPE platforms, it is necessary to upgrade the Cisco Enterprise NFV Infrastructure Software (NFVIS). The Cisco IMC software is automatically updated as part of the NFVIS firmware upgrade process.
5000 Series ENCS and Catalyst 8300 Series Edge uCPE
| Product / Software Component | Affected Releases | First Fixed Release |
|---|---|---|
| Cisco NFVIS (for 5000 Series ENCS) | 4.15 and earlier | 4.15.5 |
| Cisco NFVIS (for Catalyst 8300 Series Edge uCPE) | 4.16 and earlier | Migrate to a fixed release |
| Cisco NFVIS (for Catalyst 8300 Series Edge uCPE) | 4.18 | 4.18.3 (Apr 2026) |
UCS C-Series Rack Servers
| Server Model | Affected IMC Release | First Fixed IMC Release |
|---|---|---|
| UCS C-Series M5 | 4.2 and earlier | Migrate to a fixed release |
| UCS C-Series M5 | 4.3 | 4.3(2.260007) |
| UCS C-Series M6 | 4.2 and earlier | Migrate to a fixed release |
| UCS C-Series M6 | 4.3 | 4.3(6.260017) |
| UCS C-Series M6 | 6.0 | 6.0(1.250174) |
UCS E-Series Servers
| Server Model | Affected IMC Release | First Fixed IMC Release |
|---|---|---|
| UCS E-Series M3 | 3.2 and earlier | 3.2.17 |
| UCS E-Series M6 | 4.15 and earlier | 4.15.3 |
CVE-2026-20160 affects Cisco Smart Software Manager On-Prem installations running the vulnerable releases listed below. Immediate patching is critical to prevent arbitrary command execution.
| Cisco SSM On-Prem Release | First Fixed Release |
|---|---|
| 9-202502 to 9-202510 | Fixed in 9-202601 |
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.