Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Unauthenticated RCE in Cisco Smart Software Manager On-Prem

IdentifiersCVE-2026-20160CWE-306

CVE-2026-20160 is a critical vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) caused by the unintentional exposure of an internal service. The exposed service's API can be reached remotely, and an unauthenticated attacker can send a crafted request to that API to execute arbitrary commands on the underlying operating system of the SSM On-Prem host. Successful exploitation results in command execution with root-level privileges. Reported affected versions are SSM On-Prem releases 9-202502 through 9-202510; releases earlier than 9-202502 are reported as not affected. Cisco fixed the issue in version 9-202601.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote unauthenticated attacker to execute arbitrary operating system commands as root on the affected SSM On-Prem host. This can result in full compromise of the appliance, including complete administrative control of the underlying OS, installation of malware or persistence mechanisms, access to locally stored application data and credentials, service disruption, and use of the host as a pivot point for further activity within the private network.

Mitigation

If you can’t patch tonight, do this now.

No workaround or temporary mitigation is available according to Cisco. Until patched, exposure reduction is limited to defensive measures such as restricting network access to the SSM On-Prem host and any exposed management or service interfaces to only trusted administrative networks, preventing untrusted hosts from reaching the vulnerable API, and monitoring for suspicious requests targeting the appliance. These measures do not remediate the flaw; upgrading is required.

Remediation

Patch, then assume compromise.

Upgrade Cisco Smart Software Manager On-Prem to version 9-202601 or later. Cisco indicates that version 9-202601 contains the fix for CVE-2026-20160. Organizations should identify all SSM On-Prem deployments running vulnerable releases 9-202502 through 9-202510 and prioritize emergency patching due to the unauthenticated root-level remote code execution impact. Validate platform memory and hardware requirements before performing the upgrade, per Cisco guidance.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

33 SOURCESView more in app
nuclei templates pull requestsNews
Apr 17, 2026
[Bounty] Add 5 Nuclei templates for April 2026 CVEs (Batch 10) by eyangfeng88-arch · Pull Request #15961 · projectdiscovery/nuclei-templates · GitHub

An unauthenticated remote code execution vulnerability affecting Cisco SSM On-Prem.

Read more
runzero blogNews
Apr 3, 2026
Cisco SSM On-Prem vulnerabilities: Find impacted assets

A critical remote command execution vulnerability in Cisco Smart Software Manager On-Prem caused by unintended exposure of an internal service, allowing an unauthenticated attacker to gain root-level privileges.

Read more
cyberthroneNews
Apr 3, 2026
Cisco Patches Two Critical and Six High-Severity Vulnerabilities - TheCyberThrone

A critical remote code execution vulnerability in Cisco Smart Software Manager On-Prem caused by exposure of an internal service, allowing arbitrary command execution as root via crafted API requests.

Read more
security affairsNews
Apr 2, 2026
Cisco fixed critical and high-severity flaws

A critical remote command execution vulnerability in Cisco SSM On-Prem that allows unauthenticated attackers to execute commands on the host operating system with root privileges via a crafted API request.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity27

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-20160
NVD
nvd.nist.gov/vuln/detail/CVE-2026-20160
MITRE CWE · CWE-306
cwe.mitre.org
sec.cloudapps.cisco.com
sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-cli-execution-cHUcWuNr