Cisco fixed critical and high-severity flaws

Cisco fixed critical flaws that could allow attackers to bypass authentication, run code, and gain access to sensitive data.

Cisco released patches for two critical and six high-severity vulnerabilities. These flaws could let attackers bypass authentication, execute malicious code, escalate privileges, and access sensitive information.

One of these critical flaws is CVE-2026-20093 (CVSS score of 9.8), a flaw in Cisco IMC that lets a remote attacker bypass authentication via a crafted HTTP request. An attacker could change user passwords, including admin, and gain full system access.

Cisco Integrated Management Controller (IMC) is a built-in management system used on Cisco servers. IMC lets administrators control and monitor a server remotely, even if the operating system is off or not working.

Cisco also patched a critical SSM On-Prem flaw, tracked as CVE-2026-20160 (CVSS score of 9.8) that allowed unauthenticated attackers to run commands on the host OS with root privileges via a crafted API request.

Cisco’s PSIRT is not aware of exploits or proof-of-concept code for these vulnerabilities, however the networking giant strongly advises customers to update to the patched software.

In March, the company fixed a critical RCE zero-day, tracked as CVE-2026-20131 (CVSS score of 10.0), in Secure Firewall FMC, exploited by Interlock ransomware. US CISA ordered federal agencies to patch within three days. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)