Critical Cisco IMC flaw lets attackers bypass authentication and take over admin accounts

Cisco has disclosed a critical vulnerability in its Integrated Management Controller that can let a remote attacker bypass authentication and gain access as Admin. The flaw, tracked as CVE-2026-20093, carries a CVSS score of 9.8 and affects the password change functionality in Cisco IMC.

According to Cisco, the bug exists because the software incorrectly handles password change requests. An attacker can exploit it by sending a crafted HTTP request to an affected device, then changing the password of any existing user, including the primary administrator account.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

That makes this more than a routine patch. Cisco IMC is an out-of-band management interface, so a successful attack can hand over deep control of the system even if the main operating system is offline or unresponsive. Cisco says there are no workarounds, which makes patching the only real fix.

What systems are affected

Cisco says the flaw affects several standalone products when they run vulnerable IMC software. The list includes 5000 Series Enterprise Network Compute System devices, Catalyst 8300 Series Edge uCPE platforms, UCS C-Series M5 and M6 Rack Servers in standalone mode, and UCS E-Series M3 and M6 servers.

The exposure goes beyond those standalone systems. Cisco also says a long list of Cisco appliances built on affected UCS C-Series servers can also be vulnerable if their Cisco IMC user interface is exposed. That group includes products such as APIC servers, Catalyst Center appliances, Secure Firewall Management Center appliances, and Secure Network Analytics appliances.

Some platforms do not appear in the affected set. Cisco says UCS B-Series Blade Servers, UCS X-Series Modular Systems, and UCS C-Series M7 and M8 Rack Servers are not affected by this flaw.

Why this bug matters

This vulnerability sits in a highly sensitive spot. IMC handles remote server administration, so anyone who can bypass authentication and reset an admin password can move straight into full management access. That can open the door to system hijacking, disruption, further malware deployment, or follow-on attacks inside the network.

The risk grows if the IMC interface is exposed to a local network segment with broad access, or worse, directly to the internet. CSO noted that the flaw can be triggered through crafted HTTP requests, which means exposed management interfaces face immediate risk until they are patched.

Cisco says it has not found evidence of in-the-wild exploitation and is not aware of any public proof-of-concept code as of the advisory. Still, the company strongly recommends immediate upgrades because defenders do not have a temporary mitigation to fall back on.

Patch guidance and fixed versions

Cisco says the fix depends on the platform. For 5000 Series ENCS and Catalyst 8300 Series Edge uCPE, administrators need to upgrade the underlying Cisco Enterprise NFVIS software because the IMC update is bundled into that process.

For standalone servers, Cisco says administrators can generally use the Cisco Host Upgrade Utility to install fixed IMC releases. Reported fixed versions include 4.3(2.260007) or later for UCS C-Series M5, 4.3(6.260017) or later for UCS C-Series M6, 6.0(2.260044) or later for M6 systems on the 6.0 branch, 3.2.17 or later for UCS E-Series M3, and 4.15.3 or later for UCS E-Series M6.

Cisco credited security researcher Marcin Godula for reporting the flaw. That detail matters because it shows the issue came through responsible disclosure rather than from a public exploit campaign.

Key points

• CVE-2026-20093 is a critical Cisco IMC authentication bypass flaw with a CVSS score of 9.8.
• The bug lets an unauthenticated remote attacker send a crafted HTTP request and gain access as Admin.
• Affected products include ENCS 5000, Catalyst 8300 Edge uCPE, UCS C-Series M5 and M6 standalone servers, and UCS E-Series M3 and M6.
• Many Cisco appliances built on affected UCS C-Series hardware can also be at risk if the IMC interface is exposed.
• Cisco says there are no workarounds, so patching is the only fix.

Affected products and fixes at a glance

What admins should do now

• Identify every server and appliance that exposes Cisco IMC.
• Check whether the IMC interface is reachable from broad internal segments or the internet.
• Upgrade to the fixed release for the affected platform.
• Restrict IMC exposure to tightly controlled admin networks.
• Review admin accounts and password changes after patching.

FAQ