—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in CISCO

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Cisco SSM On-Prem

Cisco Integrated Management Controller

5000 Series Enterprise Network Compute Systems (ENCS)

Catalyst 8300 Series Edge uCPE

UCS C-Series M5 and M6 Rack Servers in standalone mode

UCS E-Series Servers M3 & M6

UCS S-Series Storage Servers in standalone mode

Cisco EPNM

Overview

Multiple vulnerabilities have been reported in CISCO, which could allow an attacker to execute remote code, command injection and gain elevated privileges on the targeted system.

Target Audience:

Individuals and IT administrators, security teams responsible for maintaining and updating CISCO products

Risk Assessment:

Risk of Remote code execution, elevation of privileges, or system instability

Impact Assessment:

Potential impact on confidentiality, integrity and availability of the system.

Description

1. Arbitrary Command Execution Vulnerability ( CVE-2026-20160   )

This vulnerability exists in Cisco Smart Software Manager On-Prem (SSM On-Prem) due to the unintentional exposure of an internal service. An attacker could exploit this vulnerability by sending a specially crafted request to the API of the exposed service.

Successful exploitation of this vulnerability could allow an attacker to execute commands with root-level privileges on the targeted system.

2. Authentication Bypass Vulnerability ( CVE-2026-20093   )

This vulnerability exists in Cisco Integrated Management Controller due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a specially crafted HTTP request on the targeted system. 

Successful exploitation of this vulnerability could allow an attacker to bypass authentication, alter the passwords of any user on the targeted system, including an Admin user, and gain access to the system as that user.

3. Improper Authorization Vulnerability ( CVE-2026-20155   )

This vulnerability exists in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) due to improper authorization checks on a REST API endpoint of an affected device. An attacker could exploit this vulnerability by querying the affected endpoint.

Successful exploitation of this vulnerability could allow the attacker to view session information of active Cisco EPNM users, including users with administrative privileges on the targeted system.

4. Privilege Escalation Vulnerability ( CVE-2026-20151   )

This vulnerability exists in web interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) due to the improper transmission of sensitive user information. An attacker could exploit this vulnerability by sending a crafted message to an affected Cisco SSM On-Prem host and retrieving session credentials from subsequent status messages.

Successful exploitation of this vulnerability could allow the attacker to elevate privileges on the targeted system.

5. Command Injection and Remote Code Execution Vulnerabilities ( CVE-2026-20094   CVE-2026-20095   CVE-2026-20096   CVE-2026-20097   )

Multiple vulnerabilities exist in the web-based management interface of Cisco Integrated Management Controller (IMC) due to improper validation of user-supplied input. An attacker could exploit these vulnerabilities by sending a specially crafted request on the targeted system.

Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary commands on the targeted system.

Solution

Apply appropriate security updates as mentioned in CISCO advisory:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-cli-execution-cHUcWuNr

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-epnm-improp-auth-mUwFWUU3

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-priv-esc-xRAnOuO8

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-3hKN3bVt

References

CISCO

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-cli-execution-cHUcWuNr

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-epnm-improp-auth-mUwFWUU3

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-priv-esc-xRAnOuO8

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-3hKN3bVt

CVE Name

CVE-2026-20160

CVE-2026-20093

CVE-2026-20155

CVE-2026-20151

CVE-2026-20094

CVE-2026-20095

CVE-2026-20096

CVE-2026-20097

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmnfqCQACgkQ3jCgcSdc

ys93xw//QZaNUGRbeP+ZMUfVnJ7H77Qlf3jAATpobbnnTI+lPyV0fNlY4q82kYkE

8HULDxtNRVRay7tkRPet4OM1dyNu820rQXPVE7tXSLiql++tQxyoQwgkD4BP8fHc

5VNDxQ+KUwxoKYXTb2QqAx9Um9whWZ8fWWB74lyGRO5WmUtmnVCHRVX+FLhkLKYb

A+qLE0+GmMCS/NOo7pOjGftjKWwjeNYD+dLgZwMQcbqZKDzXDx5/PsyIAFjfpRGq

pmt4t0GOTEpNZyEQ0e30GqXYolw/YZT49e1lG5PvOkzke0GVE1vrCd2XQ7yGKTrx

triJF+BJuxzOkHZ6sLlTcJJnqyfgvyycxYHrj0cfH74VP8w2uK4ZN0C+YD3xxhdS

2Vp4Pou+TRoRi9LbY98tRmzcBkILuuxdSxLtgK1/FKijujAlw6gHxAyg/ET3xhsp

nJHBSbJQVwvJfzvOur6Tt+wFHMeE9c2Syq+uK+x8BDO1NjLke4qLm1h2dEmQ8X0Q

lPI11wLQyShQxJRWmwLGcccTH3q6Ej2khQH8Kklgz211Kqmr/mM3A/7MxsduNbBV

smByiGwwBxNlNn9VFt40oFe05Q3hM+UrK1YWo+p7souSlvcgsJ8u8WAjrzIhhXvv

YQoGp97hnflQrwYqtdQXrVNUWbf7dlZDxetIMFP+GcgF9gNdfX8=

=CRSn

—–END PGP SIGNATURE—–