Cisco has published patches for two critical vulnerabilities that can allow a remote and unauthenticated attacker to take control of equipment if they are successfully exploited. The most serious of them, registered as CVE-2026-20093 and qualified with a CVSS score of 9.8 out of 10, affects the Integrated Management Controller component (IMC) and would allow, according to Cisco's own notice, to avoid authentication mechanisms by handling HTTP requests.
In simple terms, the BMI failure is due to incorrect request management to change passwords: an attacker who sends a specially built HTTP request could modify the credentials of any system account, including that of the administrator, and then access with those privileges. Cisco recognizes the researcher known as "jyh" for having detected and reported vulnerability. The incidence affects several product models and families independent of device configuration, and the corrected versions published by Cisco are as follows: 5000 Series Enterprise Network Compute Systems (ENCS) corrected in 4.15.5; Catalyst 8300 Series Edge UCPE corrected in 4.18.3; UCS C-Series M5 and M6 in standalone mode corrected in 4.3 (2.260007), 4.3 (6.260017) and 6.0 (1.250174); UCS E-Series M3 corrected in 3.2.17; and UCS E-Series M6 corrected in 4.15.3. For official details, see the list of Cisco security notices on your PSIRT portal: https: / / sec.cloud and entry into the national vulnerability database: https: / / nvd.nist.gov / vuln / detail / CVE-2026-20093.
The second critical failure detected, CVE-2026-20160- also with CVSS 9.8 score - affects Smart Software Manager On-Prem (SSM On-Prem) and is of a different nature: the accidental exposure of an internal service leaves an accessible API that, with a manipulated request, can allow the execution of arbitrary commands in the underlying operating system with root privileges. Cisco has included correction in the version 9-202601 SSM On-Prem notes that this vulnerability was discovered internally during the resolution of a case of TAC support. The corresponding entry in the NVD provides additional technical information: https: / / nvd.nist.gov / vuln / detail / CVE-2026-20160.
For now, Cisco indicates that there is no public evidence of active exploitation of these two failures, but the context matters: in recent months, there have been failures in network products that have been widely exploited by malicious actors. This recent experience underlines that a vulnerability with a score of about 10 should not be left unpatched. The authorities and response teams recommend prioritizing critical updates, and resources such as the Cybersecurity and Infrastructure Security Agency (CISA) insist on the need for proactive patch and mitigation management: https: / / www.cisa.gov / knowledge-exploited-vulnerabilities-catalog.
For infrastructure and operations managers, the recommendation is clear and practical: apply the patches published by Cisco as soon as possible as there are no official alternative solutions to replace correction. In addition to updating the above versions, it is appropriate to review recent records and accesses in the affected systems, to change critical credentials if it has not been possible to ensure full traceability of access, to segment and isolate remote management equipment on the network and to monitor commitment indicators that may indicate attempts to operate. If a heterogeneous park is managed, planning maintenance windows and previous tests will help to minimize interruptions.
Disclosure and response speed are essential: manufacturers often publish technical notices and update guides on their portals, and security teams should integrate such information into their vulnerability management processes. For official notices and mitigation information, it is recommended to go to the manufacturer's source and to public databases such as NVD: Cisco ad portal and National Vulnerability Database.
In short, these two corrections are a priority: if your environment uses BMI or SSM On-Prem, now update and verify digital detection and hygiene measures to reduce the risk of intrusion and exposure of administrative accounts.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...