CVE-2026-20093
Critical authentication bypass vulnerability (CVSS 9.8) in Cisco Integrated Management Controller (IMC) allows unauthenticated remote attackers to bypass authentication and gain full administrative access. The flaw resides in improper input validation (CWE-20) in the password change functionality of the IMC web interface and XML API. The system fails to validate the authorization context during password modification requests before processing backend database updates. An unauthenticated attacker can craft an XML POST request targeting the configConfMo method with the aaaUser object class, manipulating the default admin account Distinguished Name (DN) at sys/user-ext/user-admin, allowing direct credential manipulation without a valid authenticated session. Through the IMC management interface (accessible via XML API, WebUI, and CLI), an attacker with admin access can control server hardware, modify BIOS settings, access virtual media, monitor hardware health, and potentially pivot to managed workloads. Disclosed by Cisco PSIRT on April 1, 2026. Discovered by security researcher jyh.
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-20