Cisco has issued patches for a critical vulnerability in its Integrated Management Controller (IMC) which affects multiple products, allowing unauthenticated attackers to gain administrative access to servers, even when the operating system is offline. The flaw, known as CVE-2026-20093, arises from improper management of password changes and can be exploited through specially crafted HTTP requests. This presents a significant risk, especially for servers with their IMC interfaces accessible on the local network or the internet.
The IMC is a baseboard management controller (BMC) embedded in server motherboards that allows remote management and monitoring, independent of the main operating system. It can perform operations such as OS reinstallation, making its security paramount. The vulnerability could enable an attacker to bypass authentication, alter user passwords, and subsequently access the system with those credentials.
Affected Cisco products include various series from the 5000 Series Enterprise Network Compute Systems to UCS servers, all at risk if their IMC interface is exposed. Although Cisco has not reported any active exploits of this vulnerability, the history of BMC vulnerabilities being targeted emphasizes the importance of securing these interfaces. Recommendations for hardening BMC security have been issued by the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA).
For further reading on the guidance issued for BMC hardening, refer to the report by CISA and NSA.
