Cyber Resilience

CVE-2026-20160

Critical

Published: 01 April 2026

Published
01 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0091 55.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-20160 is a critical-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability in Cisco Smart Software (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-20160 is a high-severity vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) that exposes an internal service, enabling an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. The issue stems from the unintentional exposure of this service, which allows attackers to target its API. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-668 (Exposure of Resource to Wrong Sphere).

An unauthenticated, remote attacker can exploit this vulnerability by sending a crafted request to the API of the exposed internal service. Successful exploitation grants root-level privileges on the underlying operating system, potentially allowing full compromise of the SSM On-Prem host, including data exfiltration, persistence, or further lateral movement within the network.

The Cisco Security Advisory provides details on mitigation, available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-cli-execution-cHUcWuNr.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. This vulnerability is due to the unintentional exposure of…

more

an internal service. An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability exposes an internal service API allowing unauthenticated remote arbitrary command execution with root privileges, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30912Shared CWE-668
CVE-2026-34217Shared CWE-668
CVE-2025-25176Shared CWE-668
CVE-2026-44338Shared CWE-668
CVE-2025-2857Shared CWE-668
CVE-2024-57838Shared CWE-668
CVE-2025-61917Shared CWE-668
CVE-2026-34765Shared CWE-668
CVE-2026-44008Shared CWE-668
CVE-2026-33573Shared CWE-668

Affected Assets

Cisco
Smart Software
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the specific vulnerability exposing the internal service, preventing unauthenticated remote command execution.

prevent

Enforces boundary protection via firewalls and network segmentation to block remote access to the exposed internal service API.

prevent

Limits system to least functionality by prohibiting or restricting unnecessary internal services that could be unintentionally exposed remotely.

References