Critical authentication vulnerability discovered in Cisco Server Management module

Cisco has released security updates to address several critical and high-severity vulnerabilities. Among the vulnerabilities remediated is a critical authentication bypass in the Cisco Integrated Management Controller (IMC) component that could allow attackers to gain admin-level access.

Also known as CIMC, Cisco IMC is a hardware module embedded on the motherboard of Cisco servers. It provides out-of-band management capabilities for UCS C-Series and E-Series servers through multiple interfaces including XML API, the web interface (WebUI) and the command-line interface (CLI), even when the operating system is powered off or in a failed state.

The vulnerability, tracked as CVE-2026-20093, is associated with the password change functionality in Cisco IMC. According to the available information, a remote unauthenticated attacker could exploit the vulnerability by sending a specially crafted HTTP request, thereby bypassing authentication on unpatched systems and obtaining admin privileges. Cisco stated that the vulnerability stems from the improper handling of password change requests. A successful exploit could enable an attacker to change the password of any user on the system including an admin user, and gain access to the system as that user.

Although the company stated that it has not identified any evidence of real exploitation of this vulnerability, it strongly advised customers to upgrade to the fixed software as soon as possible. Cisco also noted that there are currently no workaround solutions available to temporarily mitigate the flaw.

In addition, Cisco released updates this week to address another critical vulnerability, tracked as CVE-2026-20160, affecting the Smart Software Manager On-Prem (SSM On-Prem) product. It was reported that this vulnerability could allow an unprivileged attacker to send a crafted request to the exposed service API and execute commands on the underlying operating system with root-level privileges.

It should be recalled that Cisco had previously patched CVE-2026-20131, a maximum-severity remote code execution vulnerability affecting the Secure Firewall Management Center (FMC).