Cisco Patches Critical and High-Severity Vulnerabilities

Summary

Cisco released security patches for two critical and six high-severity vulnerabilities affecting Smart Software Manager On-Prem, Evolved Programmable Network Manager, and Integrated Management Controller. The critical flaws include CVE-2026-20160 (RCE via exposed internal service) and CVE-2026-20093 (authentication bypass via password change requests), along with additional high-severity issues enabling privilege escalation and information disclosure. Cisco reports no active exploitation in the wild.

Full text

Cisco on Wednesday announced fixes for two critical and six high-severity vulnerabilities that could be exploited for authentication bypass, remote code execution, privilege escalation, and information disclosure. One of the critical bugs, tracked as CVE-2026-20160, impacts Cisco Smart Software Manager On-Prem (SSM On-Prem) and could allow attackers to abuse an erroneously exposed internal service to execute arbitrary commands. “An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges,” Cisco says. The second critical flaw is CVE-2026-20093, an authentication bypass issue rooted in the incorrect handling of password change requests. An unauthenticated attacker could send crafted HTTP requests to a vulnerable device and modify user passwords, including those of administrators. The attacker could then access the system as an administrator. On Wednesday, Cisco patched a high-severity defect in Evolved Programmable Network Manager (EPNM) that could allow attackers to access sensitive information, and another in SSM On-Prem that could be exploited for privilege escalation.Advertisement. Scroll to continue reading. The company also rolled out fixes for four Integrated Management Controller (IMC) vulnerabilities that could be exploited to execute arbitrary commands and gain root privileges. All flaws exist because user-supplied input is not properly validated on IMC’s web-based management interface. According to Cisco, more than two dozen enterprise networking products are impacted by the four security defects, including UCS C-series and E-series servers, as well as appliances that are based on them. Cisco says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s security advisories page. Related: Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome Related: TP-Link Patches High-Severity Router Vulnerabilities Related: BIND Updates Patch High-Severity Vulnerabilities Related: Cisco Patches Multiple Vulnerabilities in IOS Software Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire US Charges Uranium Crypto Exchange HackerAxios NPM Package Breached in North Korean Supply Chain AttackTeamPCP Moves From OSS to AWS EnvironmentsCrewAI Vulnerabilities Expose Devices to HackingExploitation of Critical Fortinet FortiClient EMS Flaw BeginsStrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNsLloyds Data Security Incident Impacts 450,000 IndividualsHuskeys Emerges From Stealth With $8 Million in Funding Latest News 250,000 Affected by Data Breach at Nacogdoches Memorial HospitalMercor Hit by LiteLLM Supply Chain AttackSophisticated CrystalX RAT EmergesVariance Raises $21.5M for Compliance Investigation Platform Powered by AI AgentsLinx Security Raises $50 Million for Identity Security and GovernanceDepthfirst Raises $80 Million in Series B FundingToy Giant Hasbro Hit by CyberattackNew DeepLoad Malware Dropped in ClickFix Attacks Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-20160
• cve — CVE-2026-20093

Entities