Cisco Patches Dual 9.8 CVSS Flaws in IMC and SSM On-Prem

Cisco released patches for two critical vulnerabilities this week that both score 9.8 on the CVSS scale and require no authentication to exploit. CVE-2026-20093 targets the Integrated Management Controller (IMC) while CVE-2026-20160 affects Smart Software Manager On-Prem. Together they expose a wide swath of Cisco's enterprise infrastructure lineup.

Neither flaw has been exploited in the wild yet, but both are trivial to weaponize. No workarounds exist—patching is the only mitigation.

The IMC Authentication Bypass (CVE-2026-20093)

The vulnerability in Cisco's Integrated Management Controller stems from improper handling of password change requests. An attacker can send a crafted HTTP request to the IMC web interface and alter the password of any user account—including administrator accounts—without knowing the current credentials.

Security researcher "jyh" reported the flaw to Cisco. The attack has low complexity and requires no user interaction, making it a prime candidate for automated exploitation once proof-of-concept code surfaces.

The impact goes beyond data theft. IMC provides out-of-band management for Cisco's server hardware, operating below the hypervisor and operating system layers. An attacker who compromises IMC gains the ability to power cycle servers, modify BIOS settings, mount virtual media, and access the server console. Traditional endpoint security tools running inside the OS cannot detect activity at this level.

Affected Systems

The following products require immediate patching:

• UCS C-Series M5/M6 Rack Servers (standalone mode)
• 5000 Series Enterprise Network Compute Systems (ENCS)
• Catalyst 8300 Series Edge uCPE
• UCS E-Series Servers M3 and M6

Appliances built on preconfigured UCS C-Series hardware are also affected if they expose access to the Cisco IMC user interface. This includes APIC servers, Cyber Vision Center Appliances, and Secure Firewall Management Center appliances—the same type of management interface we saw targeted in the FortiClient EMS zero-day last week.

SSM On-Prem Root Command Execution (CVE-2026-20160)

Smart Software Manager On-Prem handles software licensing for air-gapped and regulated environments where cloud connectivity isn't permitted. CVE-2026-20160 exists because an internal service within the application is unintentionally exposed to external network requests.

An attacker can craft a request to the API of this exposed service and execute arbitrary commands on the underlying operating system with root privileges. Cisco's internal TAC team discovered the vulnerability during support case resolution—not exactly the scenario you want for finding critical bugs.

Organizations running SSM On-Prem should understand what's at stake. The licensing server holds credentials and configuration details for potentially every Cisco device in the environment. Compromising it gives attackers a map of the network and credentials to pivot further.

Patched Versions

Cisco has released the following fixed firmware versions:

For CVE-2026-20093 (IMC):

• UCS C-Series: 4.3(2.260007), 4.3(6.260017), 6.0(1.250174)
• 5000 Series ENCS: 4.15.5
• Catalyst 8300 Edge uCPE: 4.18.3
• UCS E-Series M3: 3.2.17
• UCS E-Series M6: 4.15.3

For CVE-2026-20160 (SSM On-Prem):

• Version 9-202601

Why This Matters

Cisco infrastructure vulnerabilities follow a predictable exploitation timeline. The ISE XXE vulnerability we covered last month saw working exploits emerge within days of the advisory. These IMC and SSM flaws are less complex to exploit—a single HTTP request versus the multi-step XXE attack chain.

Network management interfaces are increasingly attractive targets because they provide lateral movement opportunities that bypass traditional security controls. CISA's Binding Operational Directive 26-02 specifically calls out management interfaces on network appliances as a critical attack surface requiring aggressive patch timelines.

Frequently Asked Questions

Are my servers affected if they're managed through UCS Manager in clustered mode? No. These vulnerabilities only affect standalone IMC deployments. UCS servers managed through UCS Manager Central or Intersight are not vulnerable to CVE-2026-20093.

Can I block exploitation with a firewall rule? Restricting network access to IMC and SSM On-Prem interfaces reduces exposure, but this is not a substitute for patching. Many organizations legitimately need remote access to these interfaces, and attackers on internal networks can still exploit the flaws.

For more enterprise vulnerability coverage, visit our hacking news hub.