Computing

Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise

News Room
News Room
Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise

Ravie LakshmananApr 02, 2026Network Security / Vulnerability

Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges.

The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0.

“This vulnerability is due to incorrect handling of password change requests,” Cisco said in an advisory released Wednesday. “An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device.”

“A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user.”

Security researcher “jyh” has been credited with discovering and reporting the vulnerability. The shortcoming affects the following products regardless of the device configuration – 

  • 5000 Series Enterprise Network Compute Systems (ENCS) – Fixed in 4.15.5
  • Catalyst 8300 Series Edge uCPE – Fixed in 4.18.3
  • UCS C-Series M5 and M6 Rack Servers in standalone mode – Fixed in 4.3(2.260007), 4.3(6.260017), and 6.0(1.250174)
  • UCS E-Series Servers M3 – Fixed in 3.2.17
  • UCS E-Series Servers M6 – Fixed in 4.15.3

Another critical vulnerability patched by Cisco impacts Smart Software Manager On-Prem (SSM On-Prem), which could enable an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system. The vulnerability, CVE-2026-20160 (CVSS score: 9.8), stems from an unintentional exposure of an internal service.

“An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service,” Cisco said. “A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.”

Patches for the flaw have been released in Cisco SSM On-Prem version 9-202601. Cisco said the vulnerability was discovered internally during the resolution of a Cisco Technical Assistance Center (TAC) support case.

While neither of the vulnerabilities has been exploited in the wild, a number ofrecentlydisclosed security flaws in Cisco products have been weaponized by threat actors. In the absence of a workaround, customers are recommended to update to the fixed version for optimal protection.

Share This Article
Previous Article Google’s new Gemma 4 models bring complex reasoning skills to low-power devices – News Google’s new Gemma 4 models bring complex reasoning skills to low-power devices – News
Next Article Expecto Pixtronum! Google’s going to Hogwarts for upcoming Pixel themes Expecto Pixtronum! Google’s going to Hogwarts for upcoming Pixel themes
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Latest News

the United States knocks out hundreds of sites
the United States knocks out hundreds of sites
Computing
How AI influences IT purchasing decisions
How AI influences IT purchasing decisions
News
North American premiere: CO2 certificates from direct air capture for Microsoft
North American premiere: CO2 certificates from direct air capture for Microsoft
Software
I explain how to do it, how to activate your privacy key and the obstacle I found
I explain how to do it, how to activate your privacy key and the obstacle I found
Gaming
Lost your password?