CISCO has released patches to fix a critical flaw in the Integrated Management Controller (IMC) that could let an unauthenticated, remote attacker bypass authentication and gain elevated privileges. The vulnerability, CVE-2026-20093, carries a CVSS score of 9.8 out of 10, and Cisco says it stems from incorrect handling of password change requests, with exploitation possible via a crafted HTTP request to an affected device.
Security researchers credited as "jyh" discovered and reported the flaw, which affects multiple products including 5000 Series ENCS, Catalyst 8300 Series uCPE, UCS C-Series and E-Series servers in various configurations, with specific fixes listed for each model.
A second critical issue, CVE-2026-20160 (CVSS 9.8), affects Smart Software Manager On-Prem (SSM On-Prem) and could allow an unauthenticated attacker to run commands on the underlying operating system with root privileges by sending a crafted API request; patches are available in Cisco SSM On-Prem version 9-202601. While neither flaw has been observed exploited in the wild, Cisco urges customers to update to the fixed versions for optimal protection.