Critical Cisco IMC Authentication Bypass Allows Remote Administrative Takeover
Take action: If your organization is running Cisco FMC on-premise, SSM On-Prem, or UCS servers with exposed IMC interfaces, consider this urgent and critical. Your immediate first step must be to ensure the web and management interfaces for all these devices are strictly isolated and accessible only from highly trusted internal networks. Even if you have them isolated, threat actors will weaponize these flaws and look for a way in.
Learn More
Cisco has disclosed a critical authentication bypass vulnerability affecting its Integrated Management Controller (IMC), a baseboard management interface used across a wide range of Cisco hardware platforms.
The flaw is tracked as CVE-2026-20093 (CVSS score 9.8), resides in the change password functionality of Cisco IMC and could allow an unauthenticated, remote attacker to bypass authentication and gain administrative access to affected systems. By sending a specially crafted HTTP request to a vulnerable device, an attacker could alter the password of any user, including Admin accounts and log in with full privileges. The vulnerability is causedd by incorrect handling of password change requests (CWE-20: Improper Input Validation),
This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IMC, regardless of device configuration:
- 5000 Series Enterprise Network Compute Systems (ENCS) (CSCwq55648)
- Catalyst 8300 Series Edge uCPE (CSCwq68912)
- UCS C-Series M5 and M6 Rack Servers in standalone mode (CSCwq55659)
- UCS E-Series Servers M3 (CSCwq55648)
- UCS E-Series Servers M6 (CSCwq68912)
Cisco appliances that are based on a preconfigured version of one of the Cisco UCS C-Series Servers that are in the preceding list are also affected by this vulnerability if they expose access to the Cisco IMC UI. This includes the following Cisco products:
- Application Policy Infrastructure Controller (APIC) Servers
- Business Edition 6000 and 7000 Appliances
- Catalyst Center Appliances
- Cisco Telemetry Broker Appliances
- Cloud Services Platform (CSP) 5000 Series
- Common Services Platform Collector (CSPC) Appliances
- Connected Mobile Experiences (CMX) Appliances
- Connected Safety and Security UCS Platform Series Servers
- Cyber Vision Center Appliances
- Expressway Series Appliances
- HyperFlex Edge Nodes
- HyperFlex Nodes in HyperFlex Datacenter without Fabric Interconnect (DC-No-FI) deployment mode
- IEC6400 Edge Compute Appliances
- IOS XRv 9000 Appliances
- Meeting Server 1000 Appliances
- Nexus Dashboard Appliances
- Prime Infrastructure Appliances
- Prime Network Registrar Jumpstart Appliances
- Secure Endpoint Private Cloud Appliances
- Secure Firewall Management Center Appliances
- Secure Malware Analytics Appliances
- Secure Network Analytics Appliances
- Secure Network Server Appliances
- Secure Workload Servers
UCS B-Series Blade Servers, UCS C-Series M7 and M8 Rack Servers, UCS C-Series Rack Servers managed via Fabric Interconnects, UCS S-Series Storage Servers, and UCS X-Series Modular Systems are confirmed not affected.
Cisco has released fixed software for multiple release trains.
- UCS C-Series M5, the fix is available in IMC release 4.3(2.260007);
- M6 servers, fixes are in releases 4.3(6.260017) and 6.0(1.250174);
- UCS E-Series M3 users should upgrade to IMC release 3.2.17;
- E-Series M6 users should move to 4.15.3;
- for the 5000 Series ENCS, upgrading NFVIS to version 4.15.5 will apply the IMC fix as part of the firmware auto-upgrade process.
- Several appliance-specific remediation paths also exist, including dedicated firmware ISOs and hotfixes for platforms such as Secure Firewall Management Center, Secure Network Analytics, and Secure Endpoint Private Cloud.
Cisco strongly recommends that customers upgrade to the appropriate fixed release as soon as possible to fully remediate the vulnerability.
