Critical Cisco IMC auth bypass patched
What happened
Cisco released fixes for a critical authentication‑bypass flaw in its Integrated Management Controller that could let attackers gain admin control and change passwords even when servers are powered down. The vendor warns that exposed IMC interfaces effectively act as privileged backdoors, so inventorying, network‑segregating and patching affected hardware is urgent. (csoonline.com) (helpnetsecurity.com)
Why it matters
Cisco published a security advisory on April 1, 2026 and released software updates to fix a critical authentication‑bypass flaw in its integrated management software, rating the issue 9.8 out of 10 on the vulnerability severity scale and stating that no workarounds exist. (sec.cloudapps.cisco.com) The vendor’s advisory names specific affected hardware lines, including Cisco Unified Computing System C‑Series M5 and M6 rack servers, E‑Series servers, HyperFlex nodes, 5000 Series enterprise compute systems and Catalyst 8300 edge units, and it also says many Cisco appliances that embed the same management software are included. (sec.cloudapps.cisco.com) The flaw sits in the Integrated Management Controller — the separate controller that provides remote power control, firmware access and a remote keyboard/screen console independent of the server’s main operating system — and is caused by incorrect handling of password‑change requests in the controller’s web and API interfaces. (csoonline.com) Cisco says an attacker can trigger the bug by sending a specially crafted HTTP request to the controller’s interface to change any account password without authenticating, and the company has assigned the public identifier CVE‑2026‑20093 to the issue while listing a base score of 9.8 for impact and attackability. (sec.cloudapps.cisco.com) The advisory provides software updates and notes there are no compensating workarounds, while multiple security outlets that covered the advisory emphasize immediate actions: locate devices that run the affected management software, block or firewall their management network interfaces from general user networks and the internet, and apply Cisco’s published updates without delay. (sec.cloudapps.cisco.com) U.S. agencies and technical guidance published previously for baseboard/management controllers stress the same controls — segregate management interfaces onto a separate network segment, enforce stronger credentials and monitoring, and keep controller firmware updated — measures specifically called out in the joint CISA/NSA hardening guidance for management controllers. (cisa.gov)
What happens next
- (cisa.gov) Cisco released fixes for a critical authentication‑bypass flaw in its Integrated Management Controller that could let attackers gain admin control and change passwords even when servers are powered down.
Quick answers
What happened in Critical Cisco IMC auth bypass patched?
Cisco released fixes for a critical authentication‑bypass flaw in its Integrated Management Controller that could let attackers gain admin control and change passwords even when servers are powered down. The vendor warns that exposed IMC interfaces effectively act as privileged backdoors, so inventorying, network‑segregating and patching affected hardware is urgent. (csoonline.com) (helpnetsecurity.com)
Why does Critical Cisco IMC auth bypass patched matter?
Cisco published a security advisory on April 1, 2026 and released software updates to fix a critical authentication‑bypass flaw in its integrated management software, rating the issue 9.8 out of 10 on the vulnerability severity scale and stating that no workarounds exist. (sec.cloudapps.cisco.com) The vendor’s advisory names specific affected hardware lines, including Cisco Unified Computing System C‑Series M5 and M6 rack servers, E‑Series servers, HyperFlex nodes, 5000 Series enterprise compute systems and Catalyst 8300 edge units, and it also says many Cisco appliances that embed the same management software are included. (sec.cloudapps.cisco.com) The flaw sits in the Integrated Management Controller — the separate controller that provides remote power control, firmware access and a remote keyboard/screen console independent of the server’s main operating system — and is caused by incorrect handling of password‑change requests in the controller’s web and API interfaces. (csoonline.com) Cisco says an attacker can trigger the bug by sending a specially crafted HTTP request to the controller’s interface to change any account password without authenticating, and the company has assigned the public identifier CVE‑2026‑20093 to the issue while listing a base score of 9.8 for impact and attackability. (sec.cloudapps.cisco.com) The advisory provides software updates and notes there are no compensating workarounds, while multiple security outlets that covered the advisory emphasize immediate actions: locate devices that run the affected management software, block or firewall their management network interfaces from general user networks and the internet, and apply Cisco’s published updates without delay. (sec.cloudapps.cisco.com) U.S. agencies and technical guidance published previously for baseboard/management controllers stress the same controls — segregate management interfaces onto a separate network segment, enforce stronger credentials and monitoring, and keep controller firmware updated — measures specifically called out in the joint CISA/NSA hardening guidance for management controllers. (cisa.gov)
