Cisco has released patches for a critical vulnerability in its out-of-band management solution, present in many of its servers and appliances. The flaw allows unauthenticated remote attackers to gain admin access to the Cisco Integrated Management Controller (IMC), which gives administrators remote control over servers even when the main OS is shut down.
The vulnerability, tracked as CVE-2026-20093, stems from incorrect handling of password changes and can be exploited by sending specially crafted HTTP requests. This means servers with their IMC interfaces exposed directly to the local network — or worse, to the internet — are at immediate risk.
The Cisco IMC is a baseboard management controller (BMC), a dedicated controller embedded into server motherboards with its own RAM and network interface that gives administrators monitoring and management capabilities as if they were physically connected to the server with a keyboard, monitor, and mouse (KVM). Because BMCs run their own firmware independently of the OS, they can be used to perform operations even when the OS is shut down, including reinstalling it.
The IMC provides an HTML5 web interface, an SSH-based command line interface, and an XML API. It also supports Redfish, a standardized RESTful API for BMCs and virtual KVM.
“A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user,” Cisco said in its advisory.
The IMC is present in 5000 Series Enterprise Network Compute Systems, Catalyst 8300 Series Edge uCPE, UCS C-Series M5 and M6 Rack Servers in standalone mode, UCS E-Series Servers M3, and UCS E-Series Servers M6. However, a long list of Cisco products and appliances that are based on the Cisco Unified Computing System (UCS) C-Series platform are also affected if they have their IMC interface exposed.
While Cisco is not currently aware of any malicious attacks exploiting this vulnerability, BMC flaws in servers from other manufacturers have been exploited in the past. In 2022, security researchers found a malicious implant dubbed iLOBleed that was likely developed by an APT group and was being deployed through vulnerabilities in HPE iLO (HPE’s Integrated Lights-Out) BMC. In 2018, a ransomware group called JungleSec used default credentials for IPMI interfaces to compromise Linux servers.
The risk of attacks against such management interfaces is serious enough that the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) issued guidance on hardening BMC back in 2023.
More recently researchers also warned about vulnerabilities in cheap KVM-over-IP devices that some organizations or admins use as alternatives for managing systems that don’t have dedicated BMC controllers.
No Responses