Critical Cisco IMC auth bypass gives attackers Admin access

Summary

Cisco released security updates for multiple critical vulnerabilities, including CVE-2026-20093, an authentication bypass in Cisco Integrated Management Controller (IMC) that allows unauthenticated attackers to gain Admin access by sending crafted HTTP requests to the password change functionality. While no in-the-wild exploitation has been observed yet, Cisco strongly recommends immediate patching as no workarounds exist. The update also addresses CVE-2026-20160 in Smart Software Manager On-Prem enabling remote code execution and references the recently patched CVE-2026-20131 in Secure Firewall Management Center that was exploited by Interlock ransomware.

Full text

Critical Cisco IMC auth bypass gives attackers Admin access By Sergiu Gatlan April 2, 2026 07:01 AM 0 Cisco has released security updates to address several critical and high-severity vulnerabilities, including an Integrated Management Controller (IMC) authentication bypass that allows attackers to gain Admin access. Also known as CIMC, Cisco IMC is a hardware module embedded on the motherboard of Cisco servers that provides out-of-band management (even if the operating system is powered off or crashed) for UCS C-Series and E-Series servers via multiple interfaces, including XML API, web (WebUI), and command-line (CLI). Tracked as CVE-2026-20093, the vulnerability was found in the Cisco IMC password change functionality and can be remotely exploited by unauthenticated attackers to bypass authentication and access unpatched systems with Admin privileges. "This vulnerability is due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device," Cisco explained on Wednesday. "A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user." "Strongly" advised to patch as soon as possible While Cisco's Product Security Incident Response Team (PSIRT) has yet to find evidence of in-the-wild exploitation or a proof-of-concept exploit code, the company "strongly recommends that customers upgrade to the fixed software" as there are no workarounds to temporarily mitigate this security flaw. This week, Cisco has also released patches for a critical Smart Software Manager On-Prem (SSM On-Prem) vulnerability (CVE-2026-20160) that could enable threat actors without privileges to gain remote code execution (RCE) on vulnerable SSM On-Prem hosts. Attackers can exploit the CVE-2026-20160 vulnerability by sending a crafted request to the exposed service's API, allowing them to execute commands on the underlying OS with root-level privileges. Earlier this month, Cisco patched a maximum-severity RCE vulnerability (CVE-2026-20131) in the Secure Firewall Management Center (FMC) that the Interlock ransomware gang exploited in zero-day attacks. CISA has also added CVE-2026-20131 to its catalog of flaws abused in the wild, ordering federal agencies to secure their systems within three days. More recently, BleepingComputer reported that Cisco's internal development environment was breached using credentials stolen during the recent Trivy supply chain attack. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: Cisco fixes severe flaws in data center management solutionTP-Link warns users to patch critical router auth bypass flawCISA orders feds to patch max-severity Cisco flaw by SundayCisco fixes critical pre-auth bugs in SD-WAN, cloud license managerCisco Catalyst SD-WAN Manager flaw allows remote server access

Indicators of Compromise

• cve — CVE-2026-20093
• cve — CVE-2026-20160
• cve — CVE-2026-20131

Entities