Cisco flags IMC flaws

A server’s management controller is the separate control panel that lets administrators reboot, patch, and recover a machine even when the main operating system is down. Cisco said on April 1 that flaws in that layer of its Integrated Management Controller software can let attackers break in through the very tool meant to keep servers reachable. (cisco.com) Cisco published one critical advisory for CVE-2026-20093, an authentication-bypass bug with a Common Vulnerability Scoring System score of 9.8 out of 10. The company said an unauthenticated remote attacker could send a crafted Hypertext Transfer Protocol request, change any user’s password, and log in as that user, including an administrator. (cisco.com) Cisco also published a second advisory covering four high-severity bugs, CVE-2026-20094 through CVE-2026-20097, with a score of 8.8. The company said an authenticated remote attacker could use the web interface to run commands or code on the underlying operating system and escalate privileges to root, the top-level account on a Unix-like system. (cisco.com) A third advisory covered five medium-severity cross-site scripting flaws, CVE-2026-20085 and CVE-2026-20087 through CVE-2026-20090, with a score of 6.1. Cisco said those bugs could let an attacker trick a browser session in the management interface into running malicious script in a logged-in user’s context. (cisco.com) Integrated Management Controller is Cisco’s out-of-band management software for Unified Computing System rack servers, which means it sits beside the main operating system and stays available for remote maintenance. Cisco’s product pages list current Integrated Management Controller documentation and firmware for Unified Computing System C-Series rack servers, including releases updated in March 2026. (cisco.com) The affected list is broad. Cisco said the April 1 advisories hit 5000 Series Enterprise Network Compute Systems, Catalyst 8300 Series Edge universal customer premises equipment, Unified Computing System C-Series M5 and M6 rack servers in standalone mode, Unified Computing System E-Series M3 and M6 servers, and some Unified Computing System S-Series storage servers, depending on the bug. (cisco.com, cisco.com, cisco.com) Cisco said preconfigured appliances built on those server platforms can also be exposed if they leave the Integrated Management Controller user interface reachable. The company’s affected-product lists name Application Policy Infrastructure Controller servers, Catalyst Center appliances, HyperFlex nodes, Nexus Dashboard appliances, Prime Infrastructure appliances, Secure Firewall Management Center appliances, and several other packaged systems. (cisco.com, cisco.com) Cisco said it released software updates for all three April 1 advisories and listed no workaround for any of them. The company’s release-notes index shows Unified Computing System rack-server software release 4.3(6) was updated on March 5, 2026, and release 6.0(2) was posted on March 16, 2026, giving administrators current branches to check against Cisco’s fixed-version guidance. (cisco.com, cisco.com, cisco.com, cisco.com) Cisco’s public security listings show Integrated Management Controller bugs are not rare: the company published an authorization-bypass advisory in February 2021, a command-injection advisory in February 2024, a privilege-escalation advisory in June 2025, and virtual keyboard video monitor issues in August 2025. The April 2026 batch adds a fresh reminder that the always-on recovery path into a server can also be an always-on attack surface. (cisco.com, cisco.com, cisco.com, cisco.com)