thehackernews.com 4/2/2026, 4:41:30 PM · via preferred

Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise

Developing story vulnerability 4 articles tracked
Cisco IMC authentication bypass flaw (CVE-2026-20093) patched
CyberSIXT Evidence Panel
CISA KEV Not in KEV
Patch Patch Status Unknown

CISCO has released patches to fix a critical flaw in the Integrated Management Controller (IMC) that could let an unauthenticated, remote attacker bypass authentication and gain elevated privileges. The vulnerability, CVE-2026-20093, carries a CVSS score of 9.8 out of 10, and Cisco says it stems from incorrect handling of password change requests, with exploitation possible via a crafted HTTP request to an affected device.

Security researchers credited as "jyh" discovered and reported the flaw, which affects multiple products including 5000 Series ENCS, Catalyst 8300 Series uCPE, UCS C-Series and E-Series servers in various configurations, with specific fixes listed for each model.

A second critical issue, CVE-2026-20160 (CVSS 9.8), affects Smart Software Manager On-Prem (SSM On-Prem) and could allow an unauthenticated attacker to run commands on the underlying operating system with root privileges by sending a crafted API request; patches are available in Cisco SSM On-Prem version 9-202601. While neither flaw has been observed exploited in the wild, Cisco urges customers to update to the fixed versions for optimal protection.

View full article

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline