Summary

Cisco has disclosed two critical vulnerabilities, CVE-2026-20093 and CVE-2026-20160, each carrying a CVSS v3.1 score of 9.8 (Critical severity). These flaws affect distinct components of Cisco's infrastructure management and software licensing ecosystem, and both could enable unauthenticated, remote attackers to achieve complete system compromise. While no exploitation of these vulnerabilities has been observed in the wild, properly disclosed vulnerabilities affecting Cisco products have been weaponized and exploited by threat actors in recent memory.

• CVE-2026-20093: Authentication bypass in Cisco Integrated Management Controller (IMC) allowing administrative access via improper handling of password change operations.
• CVE-2026-20160: Remote code execution in Cisco Smart Software Manager On-Prem (SSM On-Prem) through unintentional exposure of an internal service, enabling arbitrary OS command execution with root privileges.

Affected Systems and/or Applications

1. CVE-2026-20093 (IMC Authentication Bypass)

Affected regardless of configuration:

This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IMC, regardless of device configuration: - 5000 Series Enterprise Network Compute Systems (ENCS) - Catalyst 8300 Series Edge uCPE - UCS C-Series M5 and M6 Rack Servers in standalone mode - UCS E-Series Servers M3 - UCS E-Series Servers M6

See the Fixed Software section in Cisco's advisory for complete versioning details.

Affected if IMC UI is exposed:

Cisco appliances that are based on a preconfigured version of one of the Cisco UCS C-Series Servers that are in the preceding list are also affected by this vulnerability if they expose access to the Cisco IMC UI. This includes the following Cisco products: - Application Policy Infrastructure Controller (APIC) Servers - Business Edition 6000 and 7000 Appliances - Catalyst Center Appliances - Cisco Telemetry Broker Appliances - Cloud Services Platform (CSP) 5000 Series - Common Services Platform Collector (CSPC) Appliances - Connected Mobile Experiences (CMX) Appliances - Connected Safety and Security UCS Platform Series Servers - Cyber Vision Center Appliances - Expressway Series Appliances - HyperFlex Edge Nodes - HyperFlex Nodes in HyperFlex Datacenter without Fabric Interconnect (DC-No-FI) deployment mode - IEC6400 Edge Compute Appliances - IOS XRv 9000 Appliances - Meeting Server 1000 Appliances - Nexus Dashboard Appliances - Prime Infrastructure Appliances - Prime Network Registrar Jumpstart Appliances - Secure Endpoint Private Cloud Appliances - Secure Firewall Management Center Appliances - Secure Malware Analytics Appliances - Secure Network Analytics Appliances - Secure Network Server Appliances - Secure Workload Servers

See the Fixed Software section in Cisco's advisory for complete versioning details.

Unaffected:

Cisco has determined that this vulnerability does not affect the following Cisco products: - 5000 Series Enterprise Network Compute Systems (ENCS) - Catalyst 8300 Series Edge uCPE - UCS C-Series M5 and M6 Rack Servers in standalone mode - UCS E-Series Servers M3 - UCS E-Series Servers M6

2. CVE-2026-20160 (SSM On-Prem RCE)

Affected regardless of configuration:

• Cisco Smart Software Manager On-Prem (SSM On-Prem) deployments

Cisco SSM On-Prem ReleaseFirst Fixed ReleaseEarlier than 9-202502Not vulnerable9-202502 to 9-2025109-202601

Unaffected:

• Smart Licensing Utility
• Smart Software Manager satellite

Technical Details

1. CVE-2026-20093 (IMC Authentication Bypass)

This vulnerability exists in the change password functionality of Cisco IMC due to incorrect handling of password changes during the authentication flow; an unauthenticated attacker can exploit this flaw by sending specially crafted HTTP requests to the vulnerable change password endpoint. Successful exploitation grants administrative-level access to the IMC interface, providing control over:

• Out-of-band server management capabilities
• Virtual KVM (Keyboard, Video, Mouse) access
• Virtual media mounting
• BIOS configuration modifications
• Power cycling operations

2. CVE-2026-20160 (SSM On-Prem RCE)

This vulnerability stems from an unintentional exposure of an internal service within the SSM On-Prem architecture. An unauthenticated, remote attacker can exploit this flaw to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. Successful exploitation provides:

• Complete OS-level access to the SSM On-Prem host
• Ability to manipulate software licensing databases and entitlement records
• Potential lateral movement into connected network infrastructure
• Persistent backdoor establishment within the management plane

Mitigation

• Cisco has released firmware and software updates addressing both vulnerabilities. Upgrade to fixed versions immediately following organizational change control procedures.
• Isolate IMC management interfaces to dedicated, isolated management VLANs with strict firewall rules
• Restrict SSM On-Prem access to authorized administrative hosts only; consider disabling external-facing access entirely

What the Cyber Fusion Center is doing

The CFC is monitoring the situation and this advisory will be updated if required. Clients subscribed to vulnerability scanning services will receive relevant findings if critical vulnerabilities are detected within scan scope once an appropriate plugin is released by the scanning provider.

References

• The Hacker News: Cisco Patches 9.8 CVSS IMC and SSM Flaws
• CVE Details: CVE-2026-20093
• CSO Online: Cisco fixes critical IMC auth bypass
• NVD: CVE-2026-20093
• CVE Details: CVE-2026-20160
• NVD: CVE-2026-20160