Ireland NCSC Home

Critical Cisco IMC Authentication Bypass CVE-2026-20093 CVSS 9.8

The NCSC Ireland has issued a critical advisory for CVE-2026-20093, a Cisco Integrated Management Controller (IMC) authentication bypass vulnerability with CVSS score 9.8. The flaw in the change password functionality could allow unauthenticated remote attackers to bypass authentication, alter any user password including Admin, and gain full system access. Affected products include Cisco 5000 Series ENCS, Catalyst 8300 Series Edge uCPE, UCS C-Series M5/M6 Rack Servers, UCS E-Series M3/M6, and numerous Cisco appliances built on UCS C-Series platforms. The NCSC strongly recommends installing updates with highest priority after thorough testing.

Critical Cisco FMC Remote Code Execution Vulnerability CVE-2026-20131 CVSS 10.0

The NCSC issued an advisory on April 2, 2026, detailing CVE-2026-20131, a critical vulnerability (CVSS 10.0) in Cisco Secure Firewall Management Center (FMC) software. The flaw allows an unauthenticated remote attacker to execute arbitrary Java code as root via insecure deserialization of user-supplied input in the web-based management interface. The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog and is actively used by ransomware operators. The NCSC strongly recommends installing vendor updates with highest priority after testing.

Critical Improper Access Control Vulnerability in FortiClientEMS CVE-2026-35616

NCSC Ireland issued a critical vulnerability advisory for CVE-2026-35616 affecting Fortinet FortiClientEMS versions 7.4.5 through 7.4.6. The improper access control vulnerability may allow unauthenticated attackers to execute unauthorized code via crafted requests. The vulnerability carries CVSS Score 1 and is listed in the CISA Known Exploited Vulnerabilities catalog. Affected organisations should install updates with highest priority using the out-of-band hotfix released by Fortinet.