Overview
- Cisco, which published advisories Wednesday, shipped fixes for CVE-2026-20093 in Integrated Management Controller and CVE-2026-20160 in Smart Software Manager On-Prem.
- The IMC bug lets an unauthenticated attacker send a crafted HTTP request that bypasses login checks and changes any user password, including Admin, to gain full administrator access.
- SSM On-Prem’s flaw exposes an internal service that accepts crafted API requests and runs commands on the host with root privileges, with the fix available in version 9-202601.
- Cisco also addressed four additional IMC web interface flaws that can lead to command execution and root access across more than two dozen products, including UCS C- and E-Series servers and appliances built on them.
- PSIRT reports no known exploitation or proof-of-concept code for these issues, yet it stresses fast patching after March’s separate FMC zero-day was exploited by the Interlock ransomware group and added to CISA’s KEV list.