Cisco released urgent patches for a critical Integrated Management Controller (IMC) authentication bypass (CVE-2026-20093) and a Smart Software Manager On-Prem (SSM On-Prem) remote command execution flaw (CVE-2026-20160). Customers should update to the fixed versions immediately because both flaws carry CVSS scores of 9.8 and no workaround is available. #CVE-2026-20093 #CVE-2026-20160
Keypoints
- Cisco patched a critical IMC vulnerability (CVE-2026-20093) that allows unauthenticated attackers to bypass authentication and change any userβs password.
- A separate critical flaw in Smart Software Manager On-Prem (CVE-2026-20160) could let unauthenticated attackers execute arbitrary OS commands as root.
- Both vulnerabilities have CVSS scores of 9.8; the IMC issue was reported by researcher βjyhβ and the SSM On-Prem flaw was discovered internally during a TAC case.
- Affected products include 5000 Series ENCS (fixed in 4.15.5), Catalyst 8300 Series (fixed in 4.18.3), UCS C-Series M5/M6 standalone and UCS E-Series M3/M6 with the listed firmware fixes, and SSM On-Prem fixed in 9-202601.
- No public exploitation has been observed, but customers are advised to apply the provided patches immediately since previous Cisco flaws have been weaponized and no workaround exists.
Read More: https://thehackernews.com/2026/04/cisco-patches-98-cvss-imc-and-ssm-flaws.html