Changeflow GovPing Data Privacy & Cybersecurity Critical Vulnerabilities in Cisco Products
Urgent Notice Added Final

Critical Vulnerabilities in Cisco Products

Favicon for www.csa.gov.sg CSA Alerts & Advisories (Singapore)
Published April 6th, 2026
Detected April 6th, 2026
Email

Summary

CSA Singapore issued an alert about critical CVSS 9.8 vulnerabilities in Cisco products affecting IMC and SSM On-Prem systems. CVE-2026-20093 allows authentication bypass enabling password alteration, while CVE-2026-20160 permits remote root command execution. Organizations using affected Cisco products must update immediately.

View original document View source feed page

What changed

CSA Singapore published a critical security alert identifying two CVEs with CVSS v3.1 scores of 9.8 out of 10 in Cisco products. CVE-2026-20093 is an authentication bypass vulnerability in Cisco Integrated Management Controller affecting 5000 Series Enterprise Network Compute Systems, Catalyst 8300 Series Edge uCPE, and UCS C-Series M5/M6 and E-Series Servers. CVE-2026-20160 is a command execution vulnerability in Cisco Smart Software Manager On-Prem arising from unintentional exposure of an internal service that can be abused via crafted API requests.

Users and administrators of affected products must identify their current versions against the listed affected versions and update to the patched versions immediately. For Cisco IMC: update to 4.15.5, 4.18.3, 4.3(2.260007), 4.3(6.260017), 6.0(1.250174), or 3.2.17/4.15.3 for E-Series. For SSM On-Prem: update to Release 9-202601 or later. Failure to patch leaves systems vulnerable to unauthenticated remote attacks enabling complete system compromise.

What to do next

  1. Identify all Cisco IMC and SSM On-Prem installations in your environment
  2. Upgrade affected products to patched versions: IMC 4.15.5/4.18.3/4.3(2.260007)/4.3(6.260017)/6.0(1.250174)/3.2.17/4.15.3; SSM On-Prem 9-202601
  3. Review access logs for signs of exploitation and reset credentials on affected systems

Source document (simplified)

Alerts

Critical Vulnerabilities in Cisco Products

6 April 2026

Cisco has released security updates to address multiple security vulnerabilities in their products. Users and administrators of affected products are advised to update to the latest versions immediately.

Background

Cisco has released security updates to address security vulnerabilities in Cisco Integrated Management Controller (IMC) (CVE-2026-20093) and Cisco Smart Software Manager On-Prem (SSM On-Prem) (CVE-2026-20160). Both vulnerabilities have a Common Vulnerability Scoring System (CVSS v3.1) score of 9.8 out of 10.

Impact

Successful exploitation of the vulnerabilities could lead to the following:

  • CVE-2026-20093: Successful exploitation of this authentication bypass vulnerability in Cisco IMC could allow an unauthenticated remote attacker to bypass authentication by sending crafted HTTP requests. This could enable the attacker to alter the passwords of any user, including admin accounts, and gain elevated access to the system.

  • CVE-2026-20160: Successful exploitation of this vulnerability in Cisco SSM On-Prem could allow an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system with root‑level privileges. The flaw arises from unintentional exposure of an internal service, which can be abused via crafted API requests.
    Affected Products

The following product versions are affected by the vulnerabilities.

For CVE-2026-20093:

  • Cisco 5000 Series Enterprise Network Compute Systems versions prior to 4.15.5

  • Cisco Catalyst 8300 Series Edge uCPE versions prior to 4.18.3

  • Cisco UCS C‑Series M5 and M6 Rack Servers versions prior to 4.3(2.260007), 4.3(6.260017), and 6.0(1.250174)

  • Cisco UCS E‑Series Servers M3 versions prior to 3.2.17

  • Cisco UCS E‑Series Servers M6 versions prior to 4.15.3
    For CVE-2026-20160:

  • Cisco SSM On-Prem Release versions prior to 9‑202601
    Mitigation

Users and administrators of affected products are advised to update to the latest versions immediately.

For additional details and guidance, please refer to Cisco’s official advisories for CVE-2026-20093 and CVE-2026-20160 respectively.

References

https://thehackernews.com/2026/04/cisco-patches-98-cvss-imc-and-ssm-flaws.html

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-cli-execution-cHUcWuNr

https://nvd.nist.gov/vuln/detail/CVE-2026-20160

Back to top

Named provisions

CVE-2026-20093 CVE-2026-20160 Affected Products Mitigation

Related changes

Favicon for www.csa.gov.sg F5 BIG-IP Critical Vulnerability Actively Exploited
Urgent Apr 06, 2026 CSA Alerts & Advisories (Singapore) Data Privacy & Cybersecurity
Favicon for www.csa.gov.sg FortiClient EMS Critical Vulnerability Active Exploitation Hotfix Urged
Urgent Apr 06, 2026 CSA Alerts & Advisories (Singapore) Data Privacy & Cybersecurity
Favicon for www.csa.gov.sg Advisory protecting websites from cyber-attacks
Routine Apr 06, 2026 CSA Alerts & Advisories (Singapore) Data Privacy & Cybersecurity
Favicon for www.cisa.gov Fortinet FortiClient EMS Improper Access Control Vulnerability Added to KEV Catalog
Urgent Apr 06, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov Fortinet FortiClientEMS Improper Access Control Vulnerability
Urgent Apr 06, 2026 CISA Cybersecurity Advisories Data Privacy & Cybersecurity
Favicon for www.parl.ca Bill C-8 Cybersecurity Act - An Act to enact cybersecurity legislation
Priority review Apr 06, 2026 Canada Parliament Bills Legislative

Source

Favicon for www.csa.gov.sg
CSA Alerts & Advisories (Singapore) csa.gov.sg/alerts-advisories
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CSA
Published
April 6th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
AL-2026-030

Who this affects

Applies to
Technology companies Government agencies
Industry sector
3341 Computer & Electronics Manufacturing 5170 Telecommunications 5221 Commercial Banking
Activity scope
Vulnerability Patching Network Infrastructure Security Server Management
Geographic scope
Singapore SG

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF NIST 800-53
Topics
Data Privacy Network Security

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 266 Consumer Protection 44 Courts & Legal 361 Data Privacy & Cybersecurity 74 Defense & National Security 52 Education 20 Energy 101 Environment 85 Environmental Permits 1 Environmental Regulation 13 Government & Legislation 278 Healthcare 136 Housing 16 Immigration 9 Insurance 58 Labor & Employment 113 Legislative 1 Pharma & Drug Safety 104 Public Health 3 Securities & Markets 104 Securities Regulation 15 Tax 66 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CSA Alerts & Advisories (Singapore) publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.