Zero-Day Security Alert — April 2, 2026: Cisco IMC Auth Bypass and SSM On-Prem RCE

Daily Security Briefing

April 2, 2026

CVE-2026-20093 | CVSS 9.8 | CRITICAL Severity | No Known Active Exploitation

Affected Product

Cisco Integrated Management Controller (IMC)

Description

A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) allows an unauthenticated, remote attacker to bypass authentication and gain Admin-level access. The flaw stems from incorrect handling of password change requests. An attacker can send a crafted HTTP request to alter the password of any user, including Admin accounts, and then log in as that user.

Attack Vector

Network-based. No authentication or user interaction is required. An attacker sends a specially crafted HTTP request to the IMC change password endpoint, exploiting improper request validation to overwrite any user's credentials remotely.

Remediation

Apply the Cisco security update referenced in advisory cisco-sa-cimc-auth-bypass-AgG2BxTn. Ensure IMC management interfaces are not exposed to untrusted networks. Restrict access to IMC endpoints via firewall rules or VPN until patching is complete.

CISA Remediation Due Date: N/A

CVE-2026-20160 | CVSS 9.8 | CRITICAL Severity | No Known Active Exploitation

Affected Product

Cisco Smart Software Manager On-Prem (SSM On-Prem)

Description

A vulnerability in Cisco Smart Software Manager On-Prem allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root-level privileges. The flaw is caused by the unintentional exposure of an internal service whose API can be reached by sending crafted requests.

Attack Vector

Network-based. No authentication or user interaction is required. An attacker exploits an inadvertently exposed internal service API to send crafted requests that result in arbitrary command execution with root privileges on the SSM On-Prem host.

Remediation

Apply the Cisco security update referenced in advisory cisco-sa-ssm-cli-execution-cHUcWuNr. Restrict network access to the SSM On-Prem management interface. Monitor for unexpected command execution or unauthorized API calls on the SSM On-Prem host.

CISA Remediation Due Date: N/A

This report is generated by an automated threat-monitoring pipeline. It is intended as an early-warning resource and does not constitute a full risk assessment. Always verify findings against vendor advisories before taking remediation action.