CVE-2026-20093
Published: 01 April 2026
Summary
CVE-2026-20093 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Cisco Integrated Management (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2026-20093 is a critical vulnerability in the change password functionality of the Cisco Integrated Management Controller (IMC), stemming from incorrect handling of password change requests (CWE-20). It affects IMC systems, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). An unauthenticated, remote attacker can exploit this flaw by sending a crafted HTTP request to an affected device, bypassing authentication mechanisms.
The attack scenario targets unauthenticated remote attackers with network access to the IMC. Successful exploitation allows the attacker to alter passwords for any user on the system, including Admin accounts, thereby gaining unauthorized access to the system with those elevated privileges.
The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn provides details on mitigation, including available patches and workarounds for affected IMC versions. Security practitioners should consult this advisory for specific upgrade instructions and verification steps.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17947
Vulnerability details
A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin. This vulnerability is due to incorrect handling of password change requests.…
more
An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote exploitation of public-facing IMC web interface (T1190) to manipulate account passwords (T1098).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper input handling (CWE-20) in password change requests by requiring validation of crafted HTTP inputs.
Ensures secure management of authenticators, including authenticated procedures for password changes to prevent unauthorized alterations.
Enforces approved access control policies to block unauthenticated password changes and subsequent privilege escalation.