CVE-2026-20160

A critical security vulnerability, CVE-2026-20160, has been identified in Cisco Smart Software Manager On-Prem, and Cisco classifies it as an arbitrary command execution issue with a CVSS score of 9.8 and no available workaround. According to Cisco’s fixed-release information, versions 9-202502 through 9-202510 are affected, versions earlier than 9-202502 are not vulnerable, and 9-202601 is the first fixed release. Multiple high-severity vulnerabilities, CVE-2026-20094 through CVE-2026-20097, affect the web-based management interface of Cisco IMC across standalone UCS systems, ENCS platforms, Catalyst 8300 Series Edge uCPE, and related appliances, and Cisco rates the advisory at CVSS 8.8 with no available workaround. CVE-2026-20094 can be exploited by an authenticated remote attacker with read-only privileges to perform command injection, while CVE-2026-20095 and CVE-2026-20096 require admin-level privileges for command injection and CVE-2026-20097 can lead to arbitrary code execution as the root user. A high-severity vulnerability, CVE-2026-20155, has been identified in Cisco Evolved Programmable Network Manager (EPNM), where improper authorization checks on a REST API endpoint can allow an authenticated remote attacker with low privileges to access sensitive information they are not authorized to view. A successful exploit can expose active user session information, including administrator sessions. Cisco’s fixed-software table shows that 8.1 and earlier are affected, with 8.1.2 as the first fixed release for 8.1 and 8.0 and earlier requiring migration to a fixed release.

EPSS 0.25% · 48.4th percentile