Cisco dropped fixes this week for three vulnerabilities across its Integrated Management Controller (IMC) and Smart Software Manager On-Prem (SSM On-Prem), two of which carry a CVSS score of 9.8. Neither has been exploited in the wild yet, but both are trivially exploitable over the network with zero authentication required. There are no workarounds for any of them. If you run UCS servers or SSM On-Prem, stop reading and go patch.

CVE-2026-20093: IMC Authentication Bypass (CVSS 9.8)

The most severe flaw is an authentication bypass in the Cisco Integrated Management Controller — the out-of-band management interface embedded in UCS servers. The bug stems from incorrect handling of password change requests. An unauthenticated attacker can send a crafted HTTP request to the IMC web interface and alter the password of any user on the system, including the administrator account, gaining full control of the management plane.

This is not subtle. An attacker with network access to the IMC interface can take over the baseboard management controller without knowing a single credential. From there, they own the hardware — OS-level security controls, EDR agents, and SIEM integrations become irrelevant when an attacker has firmware-level access to the machine.

Affected Products

  • Cisco 5000 Series ENCS — fixed in firmware 4.15.5
  • UCS C-Series M5 and M6 Rack Servers (standalone mode) — fixed in 4.3(2.260007), 4.3(6.260017), and 6.0(1.250174)
  • UCS C-Series M7 and M8 Rack Servers — not affected

Because many Cisco appliances are built on preconfigured UCS C-Series hardware, the blast radius extends well beyond standalone servers. Affected appliances include APIC servers, Cyber Vision Center appliances, Secure Firewall Management Center, and Malware Analytics appliances — any device that exposes the IMC web interface is vulnerable.

CVE-2026-20094: IMC Command Injection (CVSS 8.8)

Disclosed alongside the auth bypass, CVE-2026-20094 is a command injection flaw in the same IMC web-based management interface. This one requires authentication, but only read-only privileges. An attacker with the lowest tier of access can inject arbitrary commands and execute them as root on the underlying OS.

Chained with CVE-2026-20093, the attack path is straightforward: bypass authentication to create an admin account, then use even a read-only session to escalate to root-level command execution on the BMC. Two bugs, full compromise.

The affected products and fixed versions overlap with CVE-2026-20093.

CVE-2026-20160: SSM On-Prem Unauthenticated Root RCE (CVSS 9.8)

Separately, Cisco patched a critical flaw in Smart Software Manager On-Prem. An internal system service was accidentally left exposed to the network. Because no authentication gates this service, a remote attacker can send crafted API requests and execute arbitrary commands as root.

SSM On-Prem is the air-gapped or on-premises deployment of Cisco’s license management platform. Organizations running it typically do so because they cannot use the cloud-hosted version — meaning these are often high-security or regulated environments. The irony of a licensing server providing unauthenticated root access in environments that specifically chose on-prem for security reasons is not lost.

Affected Versions

  • SSM On-Prem releases 9-202502 through 9-202510 are vulnerable
  • Fixed in version 9-202601

What to Do Right Now

  1. Patch the IMC firmware on all UCS C-Series M5/M6 servers and 5000 Series ENCS to the fixed releases listed above. M7 and M8 are not affected.

  2. Upgrade SSM On-Prem to version 9-202601.

  3. Audit IMC exposure. The IMC management interface should never be reachable from untrusted networks. If your IMC interfaces are on a flat network or accidentally internet-facing, you have a bigger problem than this CVE. Restrict access to a dedicated, segmented management VLAN with strict ACLs.

  4. Check for signs of compromise. Review IMC user accounts for unexpected password changes or new accounts. On SSM On-Prem, review process lists and system logs for unexpected command execution.

  5. There are no workarounds. Cisco has confirmed that no temporary mitigations exist for any of these three vulnerabilities. Firmware updates are the only fix.

Context

Cisco’s PSIRT says none of these flaws have been exploited in the wild yet. That window is closing fast — the details are public, the patches are available for diffing, and BMC/management interfaces are perennial targets for both ransomware operators and APT groups seeking persistent, OS-independent footholds. If you manage Cisco UCS infrastructure, treat this as a P0.

References