Cisco Smart Software Manager flaw lets attackers run commands as root

Cisco has disclosed a critical vulnerability in Smart Software Manager On-Prem that can let an unauthenticated remote attacker execute arbitrary commands on the underlying operating system. The bug, tracked as CVE-2026-20160, carries a CVSS score of 9.8 and affects vulnerable SSM On-Prem deployments exposed to the network.

According to Cisco’s advisory, the issue exists because an internal service was unintentionally exposed. An attacker can exploit it by sending a crafted request to the API of that exposed service, and a successful attack can result in command execution with root-level privileges.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

That makes this a high-priority patch for enterprises that run Cisco’s on-prem licensing platform. A successful compromise would hand an attacker full control of the host, creating a path to data theft, further lateral movement, or malware deployment inside the network.

What is affected and what is fixed

Cisco says the vulnerability affects Cisco Smart Software Manager On-Prem releases from 9-202502 through 9-202510. The company has fixed the issue in version 9-202601. Older releases before 9-202502 are not affected, based on Cisco’s published version guidance.

Cisco also says there are no workarounds that address this flaw. That means patching is the only supported fix, so organizations cannot rely on a temporary configuration change to reduce the risk.

The company added that the flaw does not affect every Cisco licensing product. The advisory applies specifically to Smart Software Manager On-Prem, not to unrelated Cisco products that use different licensing or management components.

No known attacks yet, but the risk is still urgent

Cisco says its Product Security Incident Response Team is not aware of public exploit code or malicious use in the wild at the time of disclosure. The company also says it found the vulnerability internally while resolving a Cisco Technical Assistance Center support case.

That is good news, but it should not lead to delay. Critical Cisco bugs often attract attention quickly once patch details become public, especially when exploitation does not require authentication and leads straight to root-level command execution. This is the kind of flaw that defenders should fix before attackers get time to reverse-engineer the update.

BleepingComputer also noted that Cisco strongly recommends customers upgrade because no workaround exists. That lines up with the core message in Cisco’s own advisory and reinforces the need for immediate action in exposed environments.

Cisco Smart Software Manager CVE-2026-20160 at a glance

What admins should do now

• Identify every Cisco Smart Software Manager On-Prem deployment in your environment.
• Check whether any instance runs a version from 9-202502 through 9-202510.
• Upgrade affected systems to version 9-202601 as soon as possible.
• Review internet exposure and restrict access to management systems wherever possible.
• Look for unusual API activity or suspicious command execution on SSM On-Prem hosts.
• Treat any publicly reachable vulnerable instance as high risk until patched.

FAQ