Critical Cisco IMC Auth Bypass Lets Attackers Seize Full Server Control — CVE-2026-20093 (CVSS 9.8)
Cisco patched a critical unauthenticated authentication bypass in its Integrated Management Controller that gives attackers admin-level hardware control over UCS rack servers and over a dozen appliances. No credentials needed.
Cisco released patches on April 3 for CVE-2026-20093, a critical authentication bypass in the Integrated Management Controller (IMC) rated CVSS 9.8. An unauthenticated remote attacker can send a single crafted HTTP request to the IMC web interface, bypass authentication entirely, overwrite any user account password including the Admin account, and seize full out-of-band hardware control of the affected server. No credentials. No prior access. One request.
What’s Affected
The vulnerability targets the IMC component that runs independently of the host OS — meaning a compromised server can be controlled even when the operating system is powered off. Cisco’s advisory lists the following affected products:
- UCS C-Series rack servers (all models)
- UCS S-Series storage servers
- Cisco Application Policy Infrastructure Controller (APIC)
- Secure Firewall Management Center
- Cyber Vision Center
- Cisco UCS B-Series blade servers (when using an affected CIMC release)
The reach extends to every appliance built on UCS C-Series hardware. That’s a wide blast radius in enterprise data centers.
Severity Breakdown
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-20093 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Authentication | None required |
| Impact | Full admin access to IMC; password overwrite |
| Exploit Status | No public PoC confirmed at publication |
Fixed Versions
Cisco shipped fixes across three IMC firmware branches:
- 4.3(2.260007) — upgrade path for 4.3 2.x releases
- 4.3(6.260017) — upgrade path for 4.3 6.x releases
- 6.0(1.250174) — upgrade path for 6.0 releases
If you’re running any 4.2.x build, Cisco has not backported the fix to that branch. Migration to a supported release is required.
What You Should Do Right Now
Patch immediately. A CVSS 9.8 authentication bypass on an out-of-band management interface is the kind of vulnerability that ransomware operators weaponize within days of disclosure. IMC access lets attackers reprogram firmware, install persistent bootkit-level implants, and maintain control even after a full OS reinstall.
While patching:
- Restrict IMC network access — IMC interfaces should never be reachable from production networks or the internet. If yours are, isolate them to a dedicated out-of-band management VLAN with firewall rules.
- Audit recent IMC logs for unexpected login attempts or password change events before patching.
- Check Cisco’s full advisory at
sec.cloudapps.cisco.comfor the complete product list — the affected appliance list is longer than the highlights above.
Cisco’s Track Record With IMC
This is not Cisco’s first IMC rodeo. The IMC attack surface has been a recurring target because it operates entirely outside the host OS security model. Previous critical IMC flaws (CVE-2024-20356, CVE-2023-20228) followed the same pattern: HTTP-level authentication flaws leading to root-equivalent access. Organizations relying on IMC for 24/7 remote server management should treat this interface with the same zero-trust posture as any internet-facing admin panel.
No working public exploit was confirmed at the time of publishing, but given the simplicity of the attack vector — a single malformed HTTP request — that window won’t stay open long.