This week Cisco has released security updates to correct several critical and high gravity vulnerabilities. Among the most worrying is a failure in the integrated management module of your servers - the well-known Cisco IMC or CIMC - that would allow an attacker to skip authentication and obtain administrator privileges in unpatched systems.
The BMI Cisco is a physical component housed on the base plate of the UCS C-Series and E-Series servers that provides off-band management: it allows you to control the hardware, access the console and manage boot even when the operating system is not available. Its interfaces include an XML API, a web interface and a command line, making it a critical point of control and therefore an attractive target for attackers.
Identified as CVE-2026-20093, vulnerability lies in how BMI processes requests to change passwords. A remote attacker, without authentication, could send a manipulated HTTP request to the affected service, cause a failure in the operation flow control and end up modifying the password of any system user. The result could be access to equipment with administrative credentials.
In his technical newsletter, Cisco describes that the root of the problem is the incorrect handling of password requests and warns that, if the explosion is successful, the attacker could establish new credentials for existing accounts and thus access the role of that user. The company has not published, for now, operating tests in real environments or public test code, but urgently recommends updating to the corrected versions Since there are no practical temporary solutions that completely mitigate the failure; the only effective measure is to install the official patches. You can check Cisco's notice here: Cisco Security Advisory.
In addition to this problem in IMC, Cisco has published corrections for another critical vulnerability in Smart Software Manager On-Prem (SSM On-Prem), registered as CVE-2026-20160. In this case, a specially built request to the exposed API could allow an attacker to run code on the affected server with root privileges. The combination of accessible input vector via network and execution with high privileges makes this failure a risk of total platform engagement if it is not patched.
The warning comes in a tense context: at the beginning of the month Cisco had to correct a maximum severity vulnerability in its Secure Firewall Management Center ( CVE-2026-20131) which was exploited in zero-day-type attacks by the Interlock group. The same failure was included by the U.S. agency CISA in its catalogue of vulnerabilities exploited in nature, with instructions for federal agencies to mitigate it as a matter of priority in very short time.
The sum of these incidents highlights two realities: first, that out-of-band management surfaces are critical objectives and, second, that the development chain and internal environments can also be compromised, complicating the response. Subsequent reports have indicated that Cisco's internal development environment suffered unauthorized access by credentials linked to the Trivy supply chain incident, which highlights the need to review both software updates, credentials and access control processes.
If you manage infrastructure with affected components, the practical recommendation is clear: plan and install official updates as soon as possible. In addition to the patch, it is appropriate to reduce the exposure of management interfaces: restrict access to management networks, use access control lists, limit authorised IP addresses and place management controls behind VPNs or separate networks. Check access and integrity records to detect unusual activity, change credentials and break keys if there is a suspicion of commitment, and make sure that privileged access policies and audit registration are active and reviewed.
Cisco maintains the technical details and software images affected in its safety notices; it is recommended to follow the manufacturer's specific guides and notes before applying changes in production environments. To deepen, see the NVD input on BMI failure ( CVE-2026-20093), the official notice of Cisco ( Cisco Security Advisory) and the CISA note containing the inclusion of the other exploited vulnerability in its catalogue ( CISA Alert).
In short, we are facing strong reminders: remote management systems should not be exposed without proper protections, critical updates should be applied quickly and the hygiene of credentials and the software supply chain is as important as the quality of the patch itself. Operational security requires combining point patches with design measures and access controls that limit impact when something fails.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...