Patch Now! Critical-Severity Flaws in Cisco SSM On-Prem and IMC, Plus More

In early April, Cisco announced two critical-severity CVEs along with additional high and medium-severity vulnerabilities. Collectively, the flaws allow authentication bypass, privilege escalation to an Administrator account, unauthenticated remote code execution (RCE) as the root user, information disclosure, and Denial of Service conditions. The two critical flaws are CVE-2026-20160 (CVSS 9.8) affecting Cisco Smart Software Manager On-Prem (SSM On-Prem) and CVE-2026-20093 (CVSS 9.8) affecting Cisco Integrated Management Controller (IMC).

Greenbone’s OPENVAS ENTERPRISE FEED has included vulnerability detection for CVE-2026-20160 and CVE-2026-20093 since their disclosure, helping defenders mitigate these evolving threats. Defenders seeking to detect and protect can try Greenbone’s entry-level OPENVAS BASIC for free, including a two-week trial of the ENTERPRISE FEED.

CVE-2026-20160 and CVE-2026-20093 pose significant threats to enterprise IT. While SSM On-Prem and IMC are both internal network services that are not meant to be publicly exposed, these CVEs may offer adversaries with a covert foothold the opportunity for lateral movement to high-value assets.

Cisco IMC is especially high risk because it is embedded in physical server and edge platforms that often sit close to core enterprise workloads. If an attacker gains administrative access, they may be able to disrupt services, pivot into adjacent networks, or use the compromised device as a staging point to target sensitive internal systems. If a target network is not strictly segmented between departments or if access controls are not tightly limited according to the principle of least privilege, risk is further increased.

Let’s first examine the two new critical-severity CVEs and then some additional CVEs published in early April 2026.

CVE-2026-20160 (CVSS 9.8) Affecting Cisco Smart Software Manager On-Prem (SSM On-Prem)

An exposed internal service allows unauthenticated remote attackers to execute arbitrary commands on the underlying OS with root privileges. CVE-2026-20160 can be exploited via HTTP requests to the exposed service’s API. The flaw is essentially an improper access control that Cisco has classified as “Exposure of Resource to Wrong Sphere” [CWE-668]. Cisco Smart Software Manager On-Prem (SSM On-Prem) versions 9-202502 to 9-202510 are affected.

Cisco SSM On-Prem is an on-premises software license-management server deployed as a virtual machine. SSM On-Prem exposes a web UI on port 8443 for administration and licensing workflows. SSM On-Prem acts as a local Smart Licensing manager for Cisco products, instead of requiring them to connect directly to Cisco’s cloud-hosted Smart Software Manager.

Multiple national CERT advisories have been issued for CVE-2026-20160 [1][2][3][4][5][6][7][8]. However, active exploitation, full technical details, or a public proof of concept (PoC) exploit are not confirmed. The OPENVAS ENTERPRISE FEED includes a remote banner version check to identify affected instances [9]. Users should update to version 9-202601 or later. See Cisco’s official advisory for more information.

CVE-2026-20093 (CVSS 9.8) Affecting Cisco Integrated Management Controller (IMC)

Improper input validation [CWE-20] can lead to authentication bypass during password change requests to the IMC. An attacker could exploit this vulnerability remotely via HTTP requests to alter the passwords of any user on the system (including an Admin user) and gain access to the system as that user.

Cisco IMC is an embedded Baseboard Management Controller (BMC) built into Cisco UCS rack and storage server platforms. The core function of Cisco IMC is out-of-band server management of physical servers when they operate in Standalone Mode via the Redfish RESTful API standard, SNMP, IPMI v2.0, or the Cisco IMC XML API. Multiple Cisco physical server products are affected if they include the Cisco Integrated Management Controller (IMC):

• 5000 Series Enterprise Network Compute Systems (ENCS)
• Catalyst 8300 Series Edge uCPE
• UCS C-Series M5 and M6 Rack Servers in standalone mode
• UCS E-Series Servers M3
• UCS E-Series Servers M6

Multiple national CERT advisories have been issued for CVE-2026-20093 [1][2][3][4][5][6][7]. However, active exploitation, full technical details, or a public proof of concept (PoC) exploit are not confirmed. Greenbone’s OPENVAS ENTERPRISE FEED includes an active check [9] and a remote banner version check [10] for devices affected by CVE-2026-20093. See Cisco’s official advisory for more information including a list of fixed releases for affected products.

Other Recent High-Severity Flaws in Cisco Products

Cisco also disclosed several high and medium-severity vulnerabilities that expand the risk posed to enterprise customers. While all of the CVEs below require valid account access to exploit, credential theft is a common tactic used in many sophisticated cyber attacks. If unpatched, these flaws could still result in command execution, privilege escalation, denial of service, or sensitive information exposure.

• CVE-2026-20094 (CVSS 8.8): A command injection flaw due to improper validation of user-supplied input [CWE-77] allows an authenticated, remote attacker with read-only privileges to execute arbitrary commands on the underlying OS with root privileges. The flaw is exploitable via HTTP requests. The web-based management interface of Cisco IMC and Cisco Enterprise NFVIS version 4.18.x and prior are affected. A full list of affected products and fixed releases are available in Cisco’s official advisory.
• CVE-2026-20155 (CVSS 8.0): Improper authorization checks [CWE-862] on an API endpoint allow an authenticated, remote attacker with low privileges to access sensitive information without authorization. The flaw affects the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) devices prior to version 8.1.2 for all configurations. More information is available in Cisco’s official advisory.
• CVE-2026-20151 (CVSS 7.3): Due to the improper transmission of sensitive user information [CWE-201], an attacker can retrieve session credentials from status messages to elevate privileges from a low-level account to admin. SSM On-Prem version 9-202510 and earlier in all configurations are affected. More information is available in Cisco’s official advisory.
• CVE-2026-20095 (CVSS 6.5): Due to improper validation of user-supplied input, an authenticated remote user can execute arbitrary code or commands [CWE-77] on the underlying OS of an affected system and elevate privileges. The flaw is exploitable via HTTP requests. The web-based management interface of Cisco IMC and Cisco Enterprise NFVIS version 4.18.x and earlier are affected. A full list of affected products and fixed releases are available in Cisco’s official advisory.
• CVE-2026-20096 (CVSS 6.5): Due to improper validation of user-supplied input, an authenticated remote admin user can execute arbitrary commands [CWE-77] on the underlying OS with root privileges. The flaw is exploitable via HTTP requests. The web-based management interface of Cisco IMC and Cisco Enterprise NFVIS version 4.18.x and prior are affected. A full list of affected products and fixed releases are available in Cisco’s official advisory.
• CVE-2026-20097 (CVSS 6.5): Due to improper validation of user-supplied input, an authenticated remote admin user can execute arbitrary commands [CWE-77] on the underlying OS with root privileges. The web-based management interface of Cisco IMC and Cisco Enterprise NFVIS version 4.18.x and prior are affected. A full list of affected products and fixed releases are available in Cisco’s official advisory.
• CVE-2026-20110 (CVSS 6.5): A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker to cause a denial of service (DoS) condition. This vulnerability exists because incorrect privileges are associated with the start maintenance All versions of Cisco IOS XE Software are affected if the start maintenance command is supported. See Cisco’s official advisory for more information.

Cisco has assigned a Security Impact Rating (SIR) of High to CVE-2026-20095, CVE-2026-20096, and CVE-2026-20097, which is above their CVSS ranking of Medium, because additional security implications apply if an attacker gains root-level access. The OPENVAS ENTERPRISE FEED includes detection tests for all aforementioned CVEs [1][2][3][4][5].

Summary

Cisco’s early April 2026 security disclosures indicate elevated risk across several products. This includes the vendor’s SSM On-Prem license management server and Cisco Integrated Management Controller (IMC), which impacts a wide array of physical hardware products, including Cisco UCS rack and storage server platforms. The most severe new flaws enable authentication bypass and unauthenticated RCE as the root user.

Although public exploitation has not been confirmed, the affected systems are high-value internal assets that represent attractive targets for advanced persistent threat (APT) actors. Organizations should verify exposure to these and other software vulnerabilities and prioritize patching. Defenders seeking to detect and protect can try Greenbone’s entry-level OPENVAS BASIC for free, including a two-week trial of the ENTERPRISE FEED.