Cisco has fixed ten vulnerabilities affecting its Integrated Management Controller (IMC), the most critical of which (CVE-2026-20093) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin.
Cisco ICM riddled with vulnerabilities
Cisco Integrated Management Controller is a built-in hardware management system used in Cisco servers.
It allows administrators to remotely control, monitor, and troubleshoot a server, even if the operating system isn’t running. (That’s because Cisco IMC is powered by a Baseboard Management Controller inside the server, which runs its own firmware and has its own IP address.)
Nine out of the ten vulnerabilities affect the IMC’s web-based management interface:
- CVE-2026-20085, and CVE-2026-20087 to CVE-2026-20090 are cross-site scripting (XSS) flaws and stem from insufficient validation of user input. They could lead to disclosure of sensitive information or arbitrary script code execution in the browser of the targeted user, but most require prior authentication and users being tricked into clicking a crafted link.
- CVE-2026-20094 to CVE-2026-20097 allow an authenticated, remote attacker to execute arbitrary code or commands on the underlying operating system of an affected system and elevate privileges to root.
- CVE-2026-20093 is due to incorrect handling of password change requests. “An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user,” Cisco’s advisory warns.
These vulnerabilities affect diverse Cisco UCS servers series, platforms for branch virtualization, and hybrid router/server platforms.
And, since many Cisco appliances are based on a preconfigured version of one of the Cisco UCS C-Series Servers, those are also affected by the vulnerabilities if they expose access to the Cisco IMC user interface.
The list of these appliances is long and includes Application Policy Infrastructure Controller (APIC) Servers, Cyber Vision Center Appliances, Secure Firewall Management Center and Malware Analytics Appliances, and many more.
What to do?
None of the flaws are under active exploitation – they’ve all been reported by security researchers. Still, implementing the provided security updates is a must, as workarounds are not available.
Preventing malicious actors from accessing the IMC management will likely mitigate the risk of abuse. “It is good practice not to have such an interface publicly accessible, but to support it in a separate management environment,” the Netherlands National Cyber Security Center noted.
Ensar Seker, CISO at threat intel company SOCRadar, told Help Net Security that the most concerning aspect of CVE-2026-20093 is that it targets the Integrated Management Controller (IMC), which operates below the operating system layer and maintains persistent, out-of-band access to the server.
“An authentication bypass at this level effectively hands attackers full administrative control over the hardware itself, meaning traditional security controls, EDR, SIEM detections, even OS-level hardening, become largely irrelevant once exploited. And in real-world scenarios, IMC interfaces are sometimes unintentionally exposed to the internet or insufficiently segmented, turning CVE-2026-20093 into a high-impact, low-effort entry point for full infrastructure compromise,” he added.
“From a defensive standpoint, organizations should treat out-of-band management interfaces as Tier-0 assets. Immediate patching is critical, but equally important is ensuring these interfaces are never publicly accessible, enforcing strict network segmentation, and applying access controls such as VPN-only or zero-trust access.”
The tenth vulnerability fixed in this round of IMC patches – CVE-2025-20261, a privilege escalation flaw in the IMC SSH connection handling – can be also mitigated by disabling SSH access.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
