CVE-2026-20160

Critical

Published: 01 April 2026

Published

01 April 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0025 48.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20160 is a critical-severity Exposure of Resource to Wrong Sphere (CWE-668) vulnerability in Cisco Smart Software (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of the specific vulnerability exposing the internal service, preventing unauthenticated remote command execution.

SC-7 Boundary Protection good match

prevent

Enforces boundary protection via firewalls and network segmentation to block remote access to the exposed internal service API.

CM-7 Least Functionality good match

prevent

Limits system to least functionality by prohibiting or restricting unnecessary internal services that could be unintentionally exposed remotely.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability exposes an internal service API allowing unauthenticated remote arbitrary command execution with root privileges, directly enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. This vulnerability is due to the unintentional exposure of…

an internal service. An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.

Deeper analysisAI

CVE-2026-20160 is a high-severity vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) that exposes an internal service, enabling an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. The issue stems from the unintentional exposure of this service, which allows attackers to target its API. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-668 (Exposure of Resource to Wrong Sphere).

An unauthenticated, remote attacker can exploit this vulnerability by sending a crafted request to the API of the exposed internal service. Successful exploitation grants root-level privileges on the underlying operating system, potentially allowing full compromise of the SSM On-Prem host, including data exfiltration, persistence, or further lateral movement within the network.

The Cisco Security Advisory provides details on mitigation, available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-cli-execution-cHUcWuNr.