Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Apr 06, 2026 · 6 min read

One HTTP Request Makes You Admin on Thousands of Cisco Servers

CVE-2026-20093 lets unauthenticated attackers reset any password on Cisco's Integrated Management Controller, including the admin account.

Enterprise server rack with an open padlock suggesting an authentication bypass vulnerability

What Happened

Cisco released emergency firmware updates on April 2, 2026 to address CVE-2026-20093, a critical authentication bypass vulnerability in the Integrated Management Controller (IMC) that scores 9.8 out of 10 on the CVSS severity scale. The flaw allows an unauthenticated remote attacker to send a single crafted HTTP request to bypass all authentication, change any user's password including the administrator account, and gain full control of the affected system.

No exploit code has been published yet, and Cisco says there is no evidence of active exploitation in the wild. But with a severity score this high and an attack that requires no authentication, no user interaction, and low complexity, it is only a matter of time before proof of concept code appears.

How the Vulnerability Works

The Cisco Integrated Management Controller is a baseboard management controller (BMC) built into Cisco's server hardware. It provides out of band management, meaning administrators can monitor, configure, and troubleshoot servers remotely, even when the operating system is down or unresponsive. The IMC operates at the hardware layer, below the operating system, with its own network interface and web based management console.

CVE-2026-20093 exists because of incorrect handling of password change requests in the IMC's XML API and web management interface. The input validation in the user credential update process fails to verify that the requester is actually authenticated. An attacker can send a crafted HTTP request that triggers a password change for any account on the system, without ever providing valid credentials.

Once the attacker resets the admin password, they have full control of the IMC, which means full control of the server hardware itself.

Why This Is Worse Than a Typical Server Vulnerability

Most server vulnerabilities affect the operating system or an application running on it. This one affects the management controller underneath everything. Compromising the IMC gives an attacker capabilities that go beyond what even root access to the operating system provides:

  • Persistent access: The IMC operates independently of the server's OS. Reinstalling the operating system does not remove an attacker who controls the BMC.
  • Hardware level control: The IMC can power cycle servers, mount virtual media, access the system console, and modify BIOS settings.
  • Invisible to security tools: Because the IMC runs below the OS, endpoint detection and antivirus software cannot see or prevent actions taken through it.
  • Network pivot point: The IMC has its own network interface, potentially giving attackers access to management networks that are separate from the production network.

What Is Affected

The vulnerability affects a wide range of Cisco products that use the Integrated Management Controller:

  • Cisco UCS C Series M5 and M6 Rack Servers (standalone mode)
  • Cisco UCS E Series M3 Servers
  • Cisco 5000 Series Enterprise Network Compute System (ENCS)
  • Cisco Catalyst 8300 Series Edge uCPE

Because many Cisco appliances are built on preconfigured UCS C Series hardware, the list of affected products extends further to include Application Policy Infrastructure Controller (APIC) servers, Cyber Vision Center appliances, Secure Firewall Management Center, and Malware Analytics appliances. An organization might not realize their security appliance is built on affected hardware until they check Cisco's advisory.

What You Should Do

Cisco has released firmware updates for all affected product lines:

  • UCS C Series M5 and M6: update to 4.3(2.260007), 4.3(6.260017), or 6.0(1.250174)
  • 5000 Series ENCS: update to 4.15.5
  • Catalyst 8300 Series: update to 4.18.3
  • UCS E Series M3: update to 3.2.17

There are no workarounds. If you cannot patch immediately, Cisco recommends isolating IMC management interfaces from all public and untrusted networks, enforcing VPN only or zero trust access controls for management traffic, and monitoring for unexpected password change events in IMC audit logs.

If your IMC management interface has been exposed to the internet, treat the system as potentially compromised regardless of whether you see evidence of exploitation. Review all account passwords and check for unauthorized configuration changes. The recent Interlock ransomware campaign that exploited a Cisco firewall zero day for 36 days is a reminder that attackers routinely exploit Cisco infrastructure flaws before defenders can respond.

The Bigger Picture

BMC and out of band management vulnerabilities are among the most dangerous classes of server flaws because they provide access that persists across OS reinstalls and sits below the visibility of traditional security tools. In 2025 and 2026, researchers have increasingly focused on these hardware management layers, and what they are finding is concerning.

For organizations running Cisco infrastructure, the message is straightforward: management interfaces should never be reachable from the internet, and patching BMC firmware must be treated with the same urgency as patching the operating system. The hardware that manages your servers is only as secure as the firmware running on it.