CVE- 2026-20093 is described as a critical authentication bypass flaw in Cisco IMC that could allow an unauthenticated remote attacker to bypass authentication and gain full administrative access to UCS servers. The vulnerability carries a CVSS score of 9.8 and stems from improper input validation in the password change functionality of IMC, enabling an attacker to reset the password for the Admin account and take control of the affected systems.
Exploitation is reported as low complexity and does not require prior privileges or user interaction, with the attack occurring via a specially crafted HTTP POST request to the vulnerable device. There is currently no evidence of active exploitation in the wild, nor public PoC code, though management controllers like IMC are high‑value targets for sophisticated threat actors.
Cisco has released software updates to address the flaw, with fixed IMC releases including 4.3(2.260007), 4.3(6.260017), and 6.0(1.250174) for C-Series servers, and NFVIS updates such as 4.15.5 and 4.18.3 for ENCS and Catalyst platforms, according to Cisco Security Advisory.