Cisco has released urgent security patches addressing multiple critical and high-severity vulnerabilities, including a maximum-severity authentication bypass in the Integrated Management Controller (IMC) that allows unauthenticated attackers to gain administrative access to affected systems.
CVE-2026-20093: The Core Vulnerability
Tracked as CVE-2026-20093, this critical vulnerability exists in the Cisco IMC password change functionality. The flaw enables remote, unauthenticated attackers to bypass authentication and access vulnerable systems with full administrative privileges—the highest level of access on the device.
Cisco IMC (also known as CIMC) is a hardware module embedded on the motherboard of Cisco UCS C-Series and E-Series servers. It provides out-of-band management capabilities through multiple interfaces including XML API, web interface (WebUI), and command-line interface (CLI)—even when the operating system is powered off or has crashed.
According to Cisco’s security advisory: “This vulnerability is due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user.”
Why This Matters
The severity of this vulnerability cannot be overstated. IMC interfaces typically manage critical server infrastructure, and compromise at this level provides attackers with:
- Complete server control—even when the OS is offline
- Password manipulation—ability to change any user’s credentials
- Persistence—out-of-band management access survives OS reinstalls
- Lateral movement potential—compromised management interfaces often provide network pivoting opportunities
Additional Critical Vulnerabilities Patched
Alongside CVE-2026-20093, Cisco addressed another critical vulnerability this week:
CVE-2026-20160 affects Cisco Smart Software Manager On-Prem (SSM On-Prem) and enables unauthenticated attackers to achieve remote code execution with root-level privileges by sending crafted requests to the exposed service’s API.
These patches come on the heels of CVE-2026-20131, a maximum-severity RCE vulnerability in Cisco Secure Firewall Management Center (FMC) that the Interlock ransomware gang exploited in zero-day attacks. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating federal agencies patch within three days.
Immediate Actions Required
Cisco’s Product Security Incident Response Team (PSIRT) reports no evidence of in-the-wild exploitation or public proof-of-concept code for CVE-2026-20093—yet. However, the company “strongly recommends” immediate patching as no workarounds exist to mitigate this vulnerability.
Organizations should:
- Inventory all Cisco UCS C-Series and E-Series servers with IMC interfaces
- Apply patches immediately through Cisco’s official channels
- Restrict network access to IMC interfaces to trusted management networks only
- Monitor IMC logs for suspicious password change attempts
- Audit administrative accounts for unauthorized changes
The Bigger Picture
This vulnerability disclosure follows a turbulent period for Cisco security. BleepingComputer recently reported that Cisco’s internal development environment was breached using credentials stolen during the Trivy supply chain attack—highlighting how even major security vendors face significant threats.
For organizations running Cisco server infrastructure, the message is clear: patch now. Authentication bypass vulnerabilities at the management layer represent some of the most dangerous attack vectors, providing adversaries with persistence and control that survives most remediation efforts.
Source: BleepingComputer
