CVE-2026-20093

A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin. This vulnerability is due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user.

Data: Cisco advisories 1 day ago · Cisco CSAF 4 hours ago · NVD CVEs 7 hours ago · NVD CPEs 1 day ago · CISA KEV 1 day ago · EPSS 1 day ago

Severity	CRITICAL
CVSS	9.8
EPSS	0.04% EPSS low
CWE	CWE-20
KEV
Published	1 month ago
Modified	1 month ago

Products with public affected evidence

Product	Advisory	Affected evidence
Cisco Unified Computing System E-Series Software (UCSE)	cisco-sa-cimc-auth-bypass-AgG2BxTn	structured affected CSAF product_status
Cisco Unified Computing System (Standalone)	cisco-sa-cimc-auth-bypass-AgG2BxTn	structured affected CSAF product_status
Cisco Enterprise NFV Infrastructure Software	cisco-sa-cimc-auth-bypass-AgG2BxTn	structured affected CSAF product_status