Cisco Issues Urgent Patch for Critical IMC Auth Bypass: A CVSS 9.8 Wake-Up Call

A newly discovered vulnerability has turned the Cisco Integrated Management Controller (IMC) into a potential backdoor. Tracked as CVE-2026-20093, this critical flaw carries a CVSS score of 9.8, signaling a severe threat that could grant attackers full administrative control over affected systems.

The vulnerability is particularly alarming because it doesn’t require a complex exploit chain or existing credentials—just a specifically designed request to a common administrative function.

The issue lies deep within the “change password” functionality of the Cisco IMC. Due to the “incorrect handling of password change requests,” a remote, unauthenticated attacker can effectively lock out legitimate users and take over their accounts.

By sending a “crafted HTTP request to an affected device,” an attacker can bypass standard security gates. According to the Cisco advisory: “A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user”.

Because the IMC is integrated into a wide variety of hardware, the list of vulnerable products is extensive. This vulnerability “affects the following Cisco products if they are running a vulnerable release of Cisco IMC, regardless of device configuration”:

• Core Servers: 5000 Series Enterprise Network Compute Systems (ENCS), Catalyst 8300 Series Edge uCPE, and various UCS C-Series and E-Series servers.
• Specialized Appliances: Dozens of Cisco appliances based on preconfigured UCS servers are at risk if their IMC UI is exposed. This includes everything from Nexus Dashboard and Catalyst Center to Secure Firewall Management Center and HyperFlex Nodes.

For some platforms, like the 5000 Series ENCS, upgrading the IMC requires a full upgrade of the Cisco Enterprise NFV Infrastructure Software (NFVIS).

Administrators are urged to check their specific hardware and migrate to fixed releases immediately:

• UCS C-Series M6: Fixed in release 6.0(1.250174).
• Catalyst 8300 Series Edge uCPE: Fixed in release 4.18.3 (slated for April 2026).
• Specific Appliances: Many appliances require custom remediation steps, such as applying specific Hotfixes or using the Host Upgrade Utility (HUU)

While the technical severity is as high as it gets, Cisco has noted that their Product Security Incident Response Team (PSIRT) “is not aware of any public announcements or malicious use of the vulnerability” at this time.

Defenders are encouraged to restrict access to management interfaces to trusted networks only while they work through the firmware update process.