Critical Cisco IMC Flaws Enable Authentication Bypass and Root Compromise
Cisco disclosed multiple vulnerabilities in its Integrated Management Controller (IMC), including the critical CVE-2026-20093, which allows a remote, unauthenticated attacker to send a crafted HTTP request to bypass authentication and change passwords for existing users, including the primary Admin account. Cisco rated the flaw CVSS 9.8 and said no workarounds or mitigations are available, making vendor-issued software updates the only effective fix; the company added that it has no evidence of active exploitation or public malicious use.
Additional advisories cover CVE-2026-20094 through CVE-2026-20097, spanning command injection and arbitrary code execution issues that could let attackers execute commands or code as root and fully compromise affected systems. Impacted products include Cisco UCS C-Series and S-Series servers, UCS E-Series systems, Catalyst 8300 Series Edge uCPE, 5000 Series ENCS, and other Cisco appliances built on vulnerable UCS platforms, with Cisco publishing fixed-version guidance and upgrade paths while runZero released an inventory query to help organizations identify exposed IMC assets.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Cisco patches critical SSM On-Prem and high-severity EPNM vulnerabilities
Cisco released fixes for additional vulnerabilities beyond IMC, including critical CVE-2026-20160 in Smart Software Manager On-Prem that could allow remote command execution as root, plus high-severity flaws affecting SSM On-Prem and Evolved Programmable Network Manager. Cisco PSIRT said it was not aware of active exploitation or public proof-of-concept code for these issues at disclosure time.
runZero publishes asset discovery guidance for affected Cisco IMC systems
runZero published analysis of the Cisco IMC advisories along with a software inventory query to help organizations identify potentially vulnerable Cisco IMC assets. The guidance covered affected Cisco UCS servers, NFVIS releases, and appliances built on vulnerable UCS platforms.
Cisco says it has no evidence of active exploitation
In its disclosure, Cisco stated it had no evidence that the IMC vulnerabilities were being actively exploited or used maliciously in public at the time of publication. This applied to the newly disclosed flaws, including the critical password-change bypass issue.
Cisco releases software updates for CVE-2026-20093 and related IMC flaws
Cisco released fixed software and version guidance to address the IMC vulnerabilities, including the critical CVE-2026-20093 authentication bypass rated CVSS 9.8. Cisco said no workarounds or mitigations were available and that vendor-provided updates were the only effective remediation.
Cisco discloses multiple Cisco IMC vulnerabilities
Cisco disclosed two security advisories for five vulnerabilities in its Integrated Management Controller (IMC): CVE-2026-20093, CVE-2026-20094, CVE-2026-20095, CVE-2026-20096, and CVE-2026-20097. The issues included an unauthenticated password-change authentication bypass, command injection flaws, and an arbitrary code execution vulnerability affecting various UCS-based platforms and appliances.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Cisco Patches Two Critical and Six High-Severity Vulnerabilities - TheCyberThrone
thecyberthrone.in
Open sourceWarning: Critical Authentication Bypass Vulnerability in Cisco Integrated Management Controller, Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceCisco IMC auth bypass vulnerability allows attackers to alter user passwords (CVE-2026-20093) - Help Net Security
helpnetsecurity.com
Open sourceLatest Cisco IMC vulnerabilities: How to find impacted assets
runzero.com
Open sourceCritical Cisco IMC Vulnerability Let Attackers Bypass Authentication
cybersecuritynews.com
Open sourceCVE-2026-20093: CVE-2026-20093: Authentication Bypass in Cisco IMC Management Interface | CVEReports
cvereports.com
Open sourceCisco Integrated Management Controller Authentication Bypass Vulnerability
sec.cloudapps.cisco.com
Open sourceCisco Security Advisory: Cisco Integrated Management Controller Authentication Bypass Vulnerability - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco Integrated Management Controller Flaws Enable Command Injection and RCE
Cisco disclosed command injection and remote code execution vulnerabilities affecting **Cisco Integrated Management Controller (CIMC)**, warning that the flaws could allow an attacker to execute arbitrary commands or code on impacted systems. The advisory identifies the issue as affecting CIMC and frames it as a serious compromise path into server management infrastructure, where successful exploitation could give an attacker control over administrative functions and underlying devices. The vulnerabilities were published in a Cisco security advisory under the topic **"Cisco Integrated Management Controller Command Injection and Remote Code Execution Vulnerabilities."** Organizations using Cisco CIMC are expected to review the vendor advisory, determine whether exposed or internet-reachable management interfaces are affected, and apply Cisco-provided fixes or mitigations to reduce the risk of unauthorized command execution on management controllers.
Apr 3, 2026
Cisco ISE Flaws Enable Authenticated Remote Code Execution and Root Escalation
Cisco disclosed two high-severity vulnerabilities in **Cisco Identity Services Engine (ISE)**, tracked as `CVE-2026-20180` and `CVE-2026-20186`, that allow an authenticated attacker to execute arbitrary commands on the underlying operating system by sending crafted HTTP requests. Both issues require at least **Read Only Admin** credentials and stem from insufficient validation of user-supplied input; Cisco mapped the flaws to **`CWE-22`** and **`CWE-77`** respectively. Cisco assigned both vulnerabilities the same **CVSS v3.1** score vector: `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`. Successful exploitation can provide user-level operating system access and may allow attackers to escalate privileges to **root**. Cisco warned that in **single-node ISE deployments**, exploitation could also make the affected node unavailable, creating a denial-of-service condition that prevents unauthenticated endpoints from accessing the network until the system is restored.
Apr 16, 2026
Cisco patches max-severity Secure Firewall Management Center flaws enabling unauthenticated root access
Cisco released security updates for two **maximum-severity** vulnerabilities in *Cisco Secure Firewall Management Center (FMC)* that can be exploited remotely by **unauthenticated** attackers via crafted HTTP requests to the web-based management interface. The issues include an **authentication bypass** (**CVE-2026-20079**) that can lead to **root access** on the underlying operating system and a **remote code execution** flaw (**CVE-2026-20131**) that allows execution of arbitrary Java code as root on unpatched systems. The Canadian Centre for Cyber Security highlighted Cisco’s advisories and urged administrators to review Cisco guidance and apply updates, noting impact to **Cisco Security Cloud Control (SCC) Firewall Management** and **Cisco Secure FMC** across versions. Cisco stated its PSIRT had **no evidence of active exploitation** and no public PoC at the time of publication, while also issuing fixes for additional vulnerabilities (including multiple high-severity issues) across Cisco firewall management and firewall platforms.
Mar 26, 2026