Cyber Resilience

CVE-2026-20093

Critical

Published: 01 April 2026

Published
01 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0099 58.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-20093 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Cisco Integrated Management (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-20093 is a critical vulnerability in the change password functionality of the Cisco Integrated Management Controller (IMC), stemming from incorrect handling of password change requests (CWE-20). It affects IMC systems, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). An unauthenticated, remote attacker can exploit this flaw by sending a crafted HTTP request to an affected device, bypassing authentication mechanisms.

The attack scenario targets unauthenticated remote attackers with network access to the IMC. Successful exploitation allows the attacker to alter passwords for any user on the system, including Admin accounts, thereby gaining unauthorized access to the system with those elevated privileges.

The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn provides details on mitigation, including available patches and workarounds for affected IMC versions. Security practitioners should consult this advisory for specific upgrade instructions and verification steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin. This vulnerability is due to incorrect handling of password change requests.…

more

An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Direct unauthenticated remote exploitation of public-facing IMC web interface (T1190) to manipulate account passwords (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-48913Shared CWE-20
CVE-2025-67484Shared CWE-20
CVE-2026-4755Shared CWE-20
CVE-2026-23489Shared CWE-20
CVE-2025-54385Shared CWE-20
CVE-2026-48188Shared CWE-20
CVE-2026-22567Shared CWE-20
CVE-2026-26063Shared CWE-20
CVE-2024-36047Shared CWE-20
CVE-2025-37173Shared CWE-20

Affected Assets

Cisco
Integrated Management
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper input handling (CWE-20) in password change requests by requiring validation of crafted HTTP inputs.

prevent

Ensures secure management of authenticators, including authenticated procedures for password changes to prevent unauthorized alterations.

prevent

Enforces approved access control policies to block unauthenticated password changes and subsequent privilege escalation.

References