Critical Cisco Smart Software Manager Vulnerability Allows Root Command Execution

Cisco released a high-priority security advisory regarding a critical vulnerability in its Smart Software Manager (SSM) On-Prem platform. This platform is a central component for managing enterprise software licenses within private networks, making it a high-value target for infrastructure compromise.

The flaw is tracked as CVE-2026-20160 (CVSS score 9.8), improper access control vulnerability in the Cisco SSM On-Prem internal service API that allows unauthenticated remote command execution. The flaw exists because an internal service is unintentionally exposed to the network, letting attackers send crafted HTTP requests to the API. Successful exploitation grants the attacker root-level privileges on the underlying operating system without requiring any user interaction or valid credentials.

Since this tool often sits deep within core enterprise infrastructure, adversaries can use it as a pivot point for lateral movement into other network segments. 

The vulnerability affects Cisco SSM On-Prem releases from 9-202502 to 9-202510. 

Cisco confirmed that releases earlier than 9-202502 are not affected by this issue. Additionally, the Cisco Smart Licensing Utility and SSM satellite products do not contain the vulnerable code and remain secure against this attack vector. Cisco’s Product Security Incident Response Team (PSIRT) discovered the issue during a support case and notes no evidence of active exploitation yet.

Cisco states that no workarounds or temporary mitigations exist for this flaw, making immediate patching the only solution. 

Organizations must upgrade to SSM On-Prem version 9-202601 to resolve the vulnerability.