đź“ş Missed the runZero Day livestream? Watch it now! Let's Go
runZero CAASM

On This Page:

  1. Latest Cisco Integrated Management Controller vulnerabilities: CVE-2026-20093, CVE-2026-20094, CVE-2026-20095, CVE-2026-20096, and CVE-2026-20097
  2. What is Cisco Integrated Management Controller?
  3. What is the impact?
  4. Are updates or workarounds available?
  5. How to find potentially vulnerable systems with runZero

How to find Cisco Integrated Management Controller installations on your network

Matthew Kienow
|
Updated

Latest Cisco Integrated Management Controller vulnerabilities: CVE-2026-20093, CVE-2026-20094, CVE-2026-20095, CVE-2026-20096, and CVE-2026-20097 #

Cisco disclosed in two advisories that multiple vulnerabilities have been identified in versions of their Integrated Management Controller (IMC).

  • CVE-2026-20093: A vulnerability in the password change functionality could allow a remote, unauthenticated attacker to bypass authentication. Due to incorrect handling of password requests, an attacker could send a crafted HTTP request to alter any user's password, including an Admin account, to gain full system access. This vulnerability has been designated CVE-2026-20093 and has been rated critical with a CVSS score of 9.8.
  • CVE-2026-20094: A vulnerability in the web-based management interface could allow a remote, low-privileged (read-only) attacker to perform command injection. By sending crafted commands to the interface, an attacker could exploit improper input validation to execute arbitrary commands as the root user. This vulnerability has been designated CVE-2026-20094 and has been rated high with a CVSS score of 8.8.
  • CVE-2026-20095 and CVE-2026-20096: Two vulnerabilities in the web-based management interface could allow a remote, high-privileged (admin-level) attacker to perform command injection. Due to improper input validation, an attacker could execute arbitrary commands on the underlying operating system as the root user. The vulnerabilities designated CVE-2026-20095 and CVE-2026-20096 have been rated medium with a CVSS score of 6.5.
  • CVE-2026-20097: A vulnerability in the web-based management interface could allow a remote, high-privileged (admin-level) attacker to execute arbitrary code. By sending crafted HTTP requests to an affected device, an attacker could exploit improper input validation to execute arbitrary code on the underlying operating system as the root user. This vulnerability has been designated CVE-2026-20097 and has been rated medium with a CVSS score of 6.5.

The following Cisco products are affected if they are running a vulnerable release of Cisco IMC, regardless of device configuration:

5000 Series Enterprise Network Compute Systems (ENCS):
(Affected by CVE-2026-20093, CVE-2026-20095, and CVE-2026-20096)

  • Cisco NFV Infrastructure Software (NFVIS) versions 4.15 and earlier

Catalyst 8300 Series Edge uCPE:
(Affected by CVE-2026-20093, CVE-2026-20094, CVE-2026-20095, and CVE-2026-20096)

  • Cisco NFVIS versions 4.16 and earlier
  • Cisco NFVIS version 4.18

UCS C-Series M5 & M6 Rack Servers (Standalone Mode):
(Affected by all CVEs: CVE-2026-20093, CVE-2026-20094, CVE-2026-20095, CVE-2026-20096, and CVE-2026-20097)

  • Cisco IMC versions 4.2 and earlier
  • Cisco IMC version 4.3
  • Cisco IMC version 6.0 (M6 only)

UCS E-Series M3 & M6:
(Affected by CVE-2026-20093, CVE-2026-20094 (M6 only), CVE-2026-20095, and CVE-2026-20096)

  • Cisco IMC versions 3.2 and earlier (M3)
  • Cisco IMC versions 4.15 and earlier (M6)

UCS S-Series Storage Servers (Standalone Mode):
(Affected by CVE-2026-20094, CVE-2026-20095, and CVE-2026-20096)

  • Cisco IMC versions 4.2 and earlier
  • Cisco IMC version 4.3

Cisco Appliances:
The following appliances are affected if the Cisco IMC user interface (UI) is exposed, as these platforms are built upon preconfigured versions of the UCS C-Series Servers listed above:

  • Application Policy Infrastructure Controller (APIC) Servers
  • Business Edition 6000 and 7000 Appliances
  • Catalyst Center Appliances, formerly DNA Center
  • Cisco Telemetry Broker Appliances
  • Cloud Services Platform (CSP) 5000 Series
  • Common Services Platform Collector (CSPC) Appliances
  • Connected Mobile Experiences (CMX) Appliances
  • Connected Safety and Security UCS Platform Series Servers
  • Cyber Vision Center Appliances
  • Expressway Series Appliances
  • HyperFlex Edge Nodes
  • HyperFlex Nodes in HyperFlex Datacenter without Fabric Interconnect (DC-No-FI) deployment mode
  • IEC6400 Edge Compute Appliances
  • IOS XRv 9000 Appliances
  • Meeting Server 1000 Appliances
  • Nexus Dashboard Appliances
  • Prime Infrastructure Appliances
  • Prime Network Registrar Jumpstart Appliances
  • Secure Endpoint Private Cloud Appliances
  • Secure Firewall Management Center Appliances
  • Secure Malware Analytics Appliances
  • Secure Network Analytics Appliances
  • Secure Network Server Appliances
  • Secure Workload Servers

What is Cisco Integrated Management Controller? #

The Cisco Integrated Management Controller is a dedicated baseboard management controller that provides out-of-band hardware configuration, monitoring, and remote control for Cisco UCS C-Series and S-Series servers via a web interface, CLI, or API, independent of the host operating system.

What is the impact? #

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

5000 Series ENCS:

  • Cisco NFVIS versions 4.15 and earlier: Upgrade to 4.15.5 or later.

Catalyst 8300 Series Edge uCPE:

  • Cisco NFVIS versions 4.16 and earlier: Migrate to a fixed release.
  • Cisco NFVIS version 4.18: Upgrade to 4.18.3 (Apr 2026) or later.

UCS C-Series M5 Rack Server:

  • Cisco IMC versions 4.2 and earlier: Migrate to a fixed release.
  • Cisco IMC version 4.3: Upgrade to 4.3(2.260007) or later.

UCS C-Series M6 Rack Server:

  • Cisco IMC versions 4.2 and earlier: Migrate to a fixed release.
  • Cisco IMC version 4.3: Upgrade to 4.3(6.260017) or later.
  • Cisco IMC version 6.0: Upgrade to 6.0(2.260044) or later.

UCS E-Series M3:

  • Cisco IMC versions 3.2 and earlier: Upgrade to 3.2.17 or later.

UCS E-Series M6:

  • Cisco IMC versions 4.15 and earlier: Upgrade to 4.15.3 or later.

UCS S-Series Storage Server:

  • Cisco IMC versions 4.2 and earlier: Migrate to a fixed release.
  • Cisco IMC version 4.3: Upgrade to 4.3(6.260017) or later.

Notes:

  • NFVIS Platforms: Upgrading Cisco IMC on 5000 Series ENCS and Catalyst 8300 Series Edge uCPE requires an upgrade of the Cisco Enterprise NFVIS. The IMC is updated automatically during the firmware auto-upgrade process.
  • Cisco Appliances: Administrators can typically perform a direct upgrade of the Cisco IMC using the Cisco Host Upgrade Utility (HUU). For specific exceptions, please refer to the detailed instructions in the official Cisco Security Advisory.

How to find potentially vulnerable systems with runZero #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Cisco AND product:="Integrated Management Controller"

Written by Matthew Kienow

Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

More about Matthew Kienow
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more

Watch Now • On Demand
Vulnerability management is broken: what's the fix?

HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps.

Watch Now
runZero Hour, Episode 17
The State of Vuln Management, Our Approach, and a Deep Dive into New Risk Findings
On this special edition of runZero Hour, join VP of Security Research Tod Beardsley and Security Research Director Rob King for a deep dive into the future of exposure management.
Watch Now
Product Release
Tackling the New Era of Exposure Management
Fixing what’s broken with legacy tools and overcoming decades-old problems requires a new approach. Dive into how we do it at runZero.
Read More
Webcast
The Unreasonable Effectiveness of Inside Out Attack Surface Management
HD Moore, founder of runZero (and previously Metasploit), presents new research that will forever redefine how you approach attack surface management.
Watch Now

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
runZero CAASM
© Copyright 2026 runZero, Inc. All Rights Reserved