9 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
Multiple critical vulnerabilities have been identified in Cisco management platforms that could allow unauthenticated attackers to bypass authentication controls or execute arbitrary commands on affected systems. These flaws impact Cisco Integrated Management Controller (IMC) and Cisco Smart Software Manager On-Prem.
Successful exploitation may allow attackers to gain full administrative access, reset credentials, or execute commands with root-level privileges. This could result in complete compromise of infrastructure management systems and downstream network environments.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Authentication Bypass Vulnerability in Cisco Integrated Management Controller (IMC)
CVSS Score: 9.8 (Critical, CVSS v3.1)
Identifier: CVE-2026-20093
PoC or Exploitation:
As of current vendor and public reporting, there are no confirmed reports of active exploitation in the wild and no widely available proof-of-concept exploit code.
Update/ Patch:
Cisco has released software updates to address this vulnerability in Cisco Integrated Management Controller (IMC). Organizations should upgrade affected systems to the fixed versions specified in Cisco's advisory.
Affected platforms include Cisco UCS servers, Catalyst devices, and other systems leveraging IMC.
Cisco advisory and patch guidance:
Description:
CVE-2026-20093 is an authentication bypass vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC). The vulnerability is caused by incorrect handling of password change requests.
An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP request to the affected device. Successful exploitation allows the attacker to bypass authentication controls, change the passwords of arbitrary users, including administrative accounts, and gain full administrative access to the system.
Mitigation Recommendation:
Immediately apply Cisco software updates addressing CVE-2026-20093.
Restrict access to IMC management interfaces to trusted administrative networks only.
Ensure IMC interfaces are not exposed to the public internet.
Monitor logs for suspicious HTTP requests, unauthorized password changes, or abnormal administrative activity.
Rotate administrative credentials if compromise is suspected and conduct threat hunting for indicators of unauthorized access.
Unauthenticated Remote Command Execution Vulnerability in Cisco Smart Software Manager On-Prem
CVSS Score: 9.8 (Critical, CVSS v3.1)
Identifier: CVE-2026-20160
PoC or Exploitation:
As of Cisco's advisory and current public reporting, there are no confirmed reports of active exploitation in the wild and no publicly available proof-of-concept exploit code.
Update/ Patch:
Cisco has released software updates to address this vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem). There are no workarounds available.
Affected versions include:
Cisco SSM On-Prem versions prior to 9-202601
Fixed version:
Cisco SSM On-Prem 9-202601 and later
Cisco advisory and patch guidance:
Description:
CVE-2026-20160 is an unauthenticated remote command execution vulnerability affecting Cisco Smart Software Manager On-Prem. The vulnerability is caused by the unintended exposure of an internal service.
An attacker can exploit this vulnerability by sending a crafted request to the API of the exposed internal service. Successful exploitation allows execution of arbitrary commands on the underlying operating system with root-level privileges.
Mitigation Recommendation:
Immediately upgrade Cisco Smart Software Manager On-Prem to version 9-202601 or later.
Ensure that SSM On-Prem instances are not exposed to the public internet.
Restrict access to management and API interfaces to trusted administrative networks only.
Monitor logs for suspicious API requests, unexpected command execution, or abnormal system behavior.
