Cisco has rolled out crucial updates to fix severe vulnerabilities in its Integrated Management Controller (IMC) and Smart Software Manager On-Prem (SSM On-Prem), which pose significant security risks. The flaws, if left unaddressed, could let unauthenticated remote attackers gain unauthorized system access or execute commands with high-level privileges.
Details of the IMC Vulnerability
The IMC vulnerability, identified as CVE-2026-20093, is a critical issue with a CVSS score of 9.8, indicating a high level of severity. The flaw arises from improper processing of password change requests, potentially allowing an attacker to bypass authentication measures and manipulate user passwords, including those of administrative accounts. This could grant the attacker elevated access to the system.
Discovered and reported by security researcher ‘jyh’, this vulnerability impacts various Cisco products, including the 5000 Series Enterprise Network Compute Systems (ENCS) and UCS E-Series Servers. Cisco has addressed the issue in recent updates, with specific versions detailed for each affected product.
SSM On-Prem Flaw and Its Implications
Another critical vulnerability affects Cisco’s SSM On-Prem, identified as CVE-2026-20160, which also bears a CVSS score of 9.8. This flaw is due to the unintended exposure of an internal service, which could be exploited by attackers through crafted API requests. Successful exploitation could result in command execution on the operating system with root privileges.
The SSM On-Prem vulnerability was discovered internally by Cisco during a technical support case analysis. The company has released a patch in version 9-202601 to mitigate this risk.
Recommendations and Future Outlook
As of now, there are no reported instances of these vulnerabilities being exploited in the wild. However, given the severity, Cisco urges all users to promptly update to the latest versions to ensure optimal security. The recent trend of threat actors targeting Cisco products underscores the importance of staying vigilant and maintaining updated systems.
In conclusion, these updates are vital for preventing potential security breaches and safeguarding sensitive data. Organizations using affected Cisco products should prioritize these patches to fortify their network security.
