Cisco Security Bulletin: Critical and High Severity Vulnerabilities

Critical Vulnerabilities

CVE-2026-20160 – Remote Code Execution (RCE)

Affected Product: Cisco Smart Software Manager On-Prem (SSM On-Prem)Description: There is a risk of executing commands with root privileges (RCE) through specially crafted API requests via an improperly exposed service.

CVE-2026-20093 – Authentication Bypass

Affected Product: Cisco Smart Software Manager On-Prem (SSM On-Prem)Description: Due to a vulnerability in the authentication mechanism, an unauthenticated attacker can change user passwords (including administrator) via specially crafted HTTP requests and gain unauthorized administrative access.

High Severity Vulnerabilities

Assessment and Recommendations

In addition to the critical vulnerabilities, updates have also been released for the following high severity vulnerabilities:

Cisco Evolved Programmable Network Manager (EPNM): Sensitive information disclosure vulnerability

SSM On-Prem: Privilege escalation vulnerability

Cisco Integrated Management Controller (IMC): A total of four vulnerabilities caused by input validation deficiencies that may allow command execution and obtaining root privileges

It is stated that the IMC vulnerabilities affect many enterprise products, including UCS C-Series and E-Series servers.

Assessment and Recommendations

Due to the critical impacts of these vulnerabilities, such as remote code execution and authentication bypass, it is important to prioritize the following actions:
 

• Immediately perform version checks on affected systems
• Prioritize the application of security updates released by Cisco
• Evaluate temporary measures (workarounds) for systems where updates cannot be applied
• Review network access control rules for affected products