Cisco has released security updates to address several critical and high-severity vulnerabilities, including an Integrated Management Controller (IMC) authentication bypass that allows attackers to gain Admin access.
Also known as CIMC, Cisco IMC is a hardware module embedded on the motherboard of Cisco servers that provides out-of-band management (even if the operating system is powered off or crashed) for UCS C-Series and E-Series servers via multiple interfaces, including XML API, web (WebUI), and command-line (CLI).
Tracked as CVE-2026-20093, the vulnerability was found in the Cisco IMC password change functionality and can be remotely exploited by unauthenticated attackers to bypass authentication and access unpatched systems with Admin privileges.
“This vulnerability is due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device,” Cisco explained on Wednesday.
“A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user.”
“Strongly” advised to patch as soon as possible
While Cisco’s Product Security Incident Response Team (PSIRT) has yet to find evidence of in-the-wild exploitation or a proof-of-concept exploit code, the company “strongly recommends that customers upgrade to the fixed software” as there are no workarounds to temporarily mitigate this security flaw.
This week, Cisco has also released patches for a critical Smart Software Manager On-Prem (SSM On-Prem) vulnerability (CVE-2026-20160) that could enable threat actors without privileges to gain remote code execution (RCE) on vulnerable SSM On-Prem hosts.
Attackers can exploit the CVE-2026-20160 vulnerability by sending a crafted request to the exposed service’s API, allowing them to execute commands on the underlying OS with root-level privileges.
Earlier this month, Cisco patched a maximum-severity RCE vulnerability (CVE-2026-20131) in the Secure Firewall Management Center (FMC) that the Interlock ransomware gang exploited in zero-day attacks. CISA has also added CVE-2026-20131 to its catalog of flaws abused in the wild, ordering federal agencies to secure their systems within three days.
More recently, BleepingComputer reported that Cisco’s internal development environment was breached using credentials stolen during the recent Trivy supply chain attack.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
