Cisco IMC auth bypass grants attackers admin access
▼ Summary
– Cisco has patched a critical IMC authentication bypass flaw (CVE-2026-20093) that lets unauthenticated attackers gain Admin access.
– The company also fixed a critical SSM On-Prem bug (CVE-2026-20160) allowing unprivileged attackers to achieve remote code execution.
– Cisco recently addressed a maximum-severity FMC RCE flaw (CVE-2026-20131) that was exploited as a zero-day by ransomware actors.
– The company strongly advises immediate patching for the IMC flaw, as there are no available workarounds to mitigate it.
– Cisco’s internal development environment was recently breached using credentials stolen in a third-party supply chain attack.
Cisco has issued urgent security updates to address multiple high-priority vulnerabilities, including a critical authentication bypass flaw in its Integrated Management Controller (IMC). This security flaw, identified as CVE-2026-20093, enables unauthenticated remote attackers to gain administrative control over affected systems. The IMC is a dedicated hardware module for out-of-band management on UCS C-Series and E-Series servers, functioning independently of the main operating system.
The vulnerability resides within the IMC’s password change feature. According to Cisco, the issue stems from improper handling of password change requests. By sending a specifically crafted HTTP request to a vulnerable device, an attacker can circumvent authentication entirely. This exploit allows the threat actor to modify the password of any user account, including administrative ones, and subsequently log in with those elevated privileges. The company has strongly advised customers to apply the available patches immediately, as no viable workarounds exist to mitigate the risk.
While Cisco’s security team has not observed active exploitation or public proof-of-concept code for this IMC flaw, the potential impact warrants swift action. The authentication bypass could provide a direct path for complete system compromise. This advisory is part of a broader set of patches released this week.
Among the other addressed issues is a critical vulnerability in Cisco’s Smart Software Manager On-Prem (SSM On-Prem), tracked as CVE-2026-20160. This flaw could allow an unprivileged attacker to achieve remote code execution (RCE) on the host system by sending a malicious request to the application’s API. Successful exploitation grants the attacker root-level command execution on the underlying operating system.
This recent update cycle follows the patching of another maximum-severity flaw earlier this month. Cisco fixed CVE-2026-20131, an RCE vulnerability in its Secure Firewall Management Center (FMC) that was exploited as a zero-day by the Interlock ransomware gang. The U. S. Cybersecurity and Infrastructure Security Agency (CISA) has since added that vulnerability to its known exploited catalog, mandating federal agencies to patch their systems within a three-day window.
The context for these security updates includes a reported breach of Cisco’s internal development environment. Credentials stolen during the recent Trivy supply chain attack were allegedly used in that incident, highlighting the persistent and evolving threats facing network infrastructure providers.
(Source: BleepingComputer)
