CVE-2026-20093
CRITICALCisco Integrated Management Controller Authentication Bypass Vulnerability
Title source: cnaDescription
A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin. This vulnerability is due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user.
References (1)
Core 1
Core References
cisco-sa-cimc-auth-bypass-AgG2BxTn
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn
Scores
CVSS v3
9.8
EPSS
0.0099
EPSS Percentile
57.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-20
Status
published
Products (50)
Cisco/Cisco Enterprise NFV Infrastructure Software
3.10.1
Cisco/Cisco Enterprise NFV Infrastructure Software
3.10.2
Cisco/Cisco Enterprise NFV Infrastructure Software
3.10.3
Cisco/Cisco Enterprise NFV Infrastructure Software
3.11.1
Cisco/Cisco Enterprise NFV Infrastructure Software
3.11.2
Cisco/Cisco Enterprise NFV Infrastructure Software
3.11.3
Cisco/Cisco Enterprise NFV Infrastructure Software
3.12.1
Cisco/Cisco Enterprise NFV Infrastructure Software
3.12.1a
Cisco/Cisco Enterprise NFV Infrastructure Software
3.12.1b
Cisco/Cisco Enterprise NFV Infrastructure Software
3.12.2
... and 40 more
Published
Apr 01, 2026
Tracked Since
Apr 01, 2026