CVE-2026-20151
Published: 01 April 2026
Summary
CVE-2026-20151 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Cisco Smart Software (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Protects sensitive session credentials transmitted in web interface status messages by enforcing confidentiality and integrity, directly preventing their exposure and subsequent privilege escalation.
Requires timely identification, reporting, and correction of the software flaw causing improper transmission of session credentials, eliminating the vulnerability root cause.
Monitors the system for unauthorized disclosure of sensitive session information in web interface communications, enabling early detection of exploitation attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables credential exposure via improper transmission in a web app (T1552), resulting in authenticated privilege escalation (T1068).
NVD Description
A vulnerability in the web interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to the improper transmission of sensitive user information. An…
more
attacker could exploit this vulnerability by sending a crafted message to an affected Cisco SSM On-Prem host and retrieving session credentials from subsequent status messages. A successful exploit could allow the attacker to elevate privileges on the affected system from low to administrative. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of System User. Note: This vulnerability exposes information only about users who logged in to the Cisco SSM On-Prem host using the web interface and who are currently logged in. SSH sessions are not affected.
Deeper analysisAI
CVE-2026-20151 is a privilege escalation vulnerability in the web interface of Cisco Smart Software Manager On-Prem (SSM On-Prem). It stems from improper transmission of sensitive user information, enabling an authenticated, remote attacker to retrieve session credentials. The issue affects systems where users log in via the web interface, but does not impact SSH sessions or expose information about non-active web sessions.
An attacker with valid credentials for a user account holding at least the System User role can exploit this by sending a crafted message to the SSM On-Prem host and capturing session credentials from subsequent status messages. Exploitation requires user interaction (UI:R) and has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), allowing elevation from low privileges to administrative access on the affected system, with high confidentiality and integrity impacts but no availability effects. The root cause is classified under CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor).
The official Cisco Security Advisory provides details on this vulnerability, including affected versions and recommended mitigations, available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-priv-esc-xRAnOuO8. Security practitioners should consult it for patching instructions and workarounds.
Details
- CWE(s)