ACCORDING to Cisco, the company has patched two critical and six high-severity vulnerabilities that could be exploited for authentication bypass, remote code execution, information disclosure, and privilege escalation. One critical flaw, CVE-2026-20160, affects Cisco Smart Software Manager On-Prem and could allow an attacker to abuse an exposed internal service to run arbitrary commands with root-level privileges.
The second critical flaw, CVE-2026-20093, is an authentication bypass issue tied to the handling of password change requests, enabling an unauthenticated attacker to modify administrator passwords and gain admin access. The fixes also cover a high-severity defect in Evolved Programmable Network Manager and another in SSM On-Prem related to privilege escalation.
In addition, four IMC vulnerabilities could let attackers execute arbitrary commands and obtain root privileges, with Cisco noting that more than two dozen enterprise products, including UCS C-series and E-series servers, are affected. Cisco says it is not aware of any of the vulnerabilities being exploited in the wild, and directs readers to its security advisories for further information.