Full Report
Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges. The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0. "This
Analysis Summary
# Vulnerability: Cisco IMC Authentication Bypass and SSM On-Prem RCE
## CVE Details
- **CVE ID:** CVE-2026-20093 (IMC), CVE-2026-20160 (SSM On-Prem)
- **CVSS Score:** 9.8 (Critical) for both vulnerabilities
- **CWE:** Incorrect handling of password change requests (IMC); Unintentional exposure of internal service (SSM)
## Affected Systems
- **Products:**
- Cisco Integrated Management Controller (IMC)
- Cisco Smart Software Manager On-Prem (SSM On-Prem)
- **Versions:**
- 5000 Series Enterprise Network Compute Systems (ENCS)
- Catalyst 8300 Series Edge uCPE
- UCS C-Series M5 and M6 Rack Servers (standalone mode)
- UCS E-Series Servers M3 and M6
- SSM On-Prem versions prior to 9-202601
- **Configurations:** IMC vulnerabilities affect devices regardless of the specific configuration.
## Vulnerability Description
**CVE-2026-20093 (IMC):** A flaw in the Integrated Management Controller due to the incorrect handling of password change requests. An attacker can send a crafted HTTP request to the device to bypass authentication and reset the password of any user, including administrators.
**CVE-2026-20160 (SSM On-Prem):** A flaw resulting from the unintentional exposure of an internal service API. An attacker can send crafted requests to this API to execute arbitrary commands on the underlying operating system with root-level privileges.
## Exploitation
- **Status:** Not currently exploited in the wild; no public PoC mentioned as available.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Critical (Full access to system and data)
- **Integrity:** Critical (Ability to alter user passwords and system configurations)
- **Availability:** Critical (Potential for total system takeover/shutdown)
## Remediation
### Patches
Cisco has released the following fixed versions:
- **5000 Series ENCS:** 4.15.5
- **Catalyst 8300 Edge uCPE:** 4.18.3
- **UCS C-Series M5/M6:** 4.3(2.260007), 4.3(6.260017), or 6.0(1.250174)
- **UCS E-Series M3:** 3.2.17
- **UCS E-Series M6:** 4.15.3
- **SSM On-Prem:** 9-202601
### Workarounds
- No workarounds are available for these vulnerabilities. Cisco recommends immediate updates to the fixed versions.
## Detection
- **Indicators of Compromise:** Unauthorized password changes for administrative accounts; unusual API requests to internal services on SSM On-Prem.
- **Detection methods and tools:** Review Cisco IMC logs for unauthorized HTTP password change requests; monitor SSM On-Prem for unexpected root-level command execution.
## References
- [Cisco Security Advisory - IMC Auth Bypass] hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn
- [Cisco Security Advisory - SSM RCE] hxxps://sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-cli-execution-cHUcWuNr
- [The Hacker News Article] hxxps://thehackernews[.]com/2026/04/cisco-patches-98-cvss-imc-and-ssm-flaws[.]html