Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Cisco Patches Critical and High-Severity Vulnerabilities

The bugs could lead to authentication bypass, remote code execution, information disclosure, and privilege escalation.

Cisco vulnerabilities

Cisco on Wednesday announced fixes for two critical and six high-severity vulnerabilities that could be exploited for authentication bypass, remote code execution, privilege escalation, and information disclosure.

One of the critical bugs, tracked as CVE-2026-20160, impacts Cisco Smart Software Manager On-Prem (SSM On-Prem) and could allow attackers to abuse an erroneously exposed internal service to execute arbitrary commands.

“An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges,” Cisco says.

The second critical flaw is CVE-2026-20093, an authentication bypass issue rooted in the incorrect handling of password change requests.

An unauthenticated attacker could send crafted HTTP requests to a vulnerable device and modify user passwords, including those of administrators. The attacker could then access the system as an administrator.

On Wednesday, Cisco patched a high-severity defect in Evolved Programmable Network Manager (EPNM) that could allow attackers to access sensitive information, and another in SSM On-Prem that could be exploited for privilege escalation.

Advertisement. Scroll to continue reading.

The company also rolled out fixes for four Integrated Management Controller (IMC) vulnerabilities that could be exploited to execute arbitrary commands and gain root privileges. All flaws exist because user-supplied input is not properly validated on IMC’s web-based management interface.

According to Cisco, more than two dozen enterprise networking products are impacted by the four security defects, including UCS C-series and E-series servers, as well as appliances that are based on them.

Cisco says it is not aware of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s security advisories page.

Related: Exploited Zero-Day Among 21 Vulnerabilities Patched in Chrome

Related: TP-Link Patches High-Severity Router Vulnerabilities

Related: BIND Updates Patch High-Severity Vulnerabilities

Related: Cisco Patches Multiple Vulnerabilities in IOS Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.