CVE-2026-20094
Received Received - Intake
Command Injection in Cisco IMC Web Interface Allows Root Access

Publication date: 2026-04-01

Last updated on: 2026-04-01

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with read-only privileges to perform command injection attacks on an affected system and execute arbitrary commands as the root user. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system as the root user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-20094
EUVD
EUVD-2026-17948
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
cisco imc *
cisco integrated_management_controller *
cisco catalyst_8300_series_edge_ucpe to 4.18.3 (inc)
cisco ucs_c-series_m5_rack_servers to 4.3(2.260007) (inc)
cisco ucs_c-series_m6_rack_servers to 4.3(6.260017) (inc)
cisco ucs_e-series_m6 to 4.15.3 (inc)
cisco ucs_s-series_storage_servers to 4.3(6.260017) (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20094 is a high-severity command injection vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC).

It allows an authenticated remote attacker with only read-only privileges to send specially crafted commands to the interface, which are improperly validated, resulting in arbitrary command execution on the underlying operating system with root user privileges.

This means that even users with limited access can escalate their privileges to full control of the system by exploiting this flaw.

Impact Analysis

This vulnerability can have a severe impact because it allows an attacker with only read-only access to execute arbitrary commands as the root user on the affected system.

Such unauthorized root-level access can lead to complete system compromise, including data theft, system manipulation, disruption of services, and installation of persistent malware.

Since the attacker can escalate privileges from limited access to full control, the risk to confidentiality, integrity, and availability of the system is very high.

Detection Guidance

This vulnerability requires authentication with at least read-only privileges to the Cisco IMC web-based management interface. Detection involves verifying if your systems are running vulnerable versions of Cisco IMC software on affected hardware such as Catalyst 8300 Series Edge uCPE, UCS C-Series M5 and M6 Rack Servers in standalone mode, UCS E-Series M6 Servers, or UCS S-Series Storage Servers in standalone mode.

There are no specific detection commands or network signatures provided in the available information. Since the vulnerability involves command injection via crafted input to the web interface, detection typically involves checking software versions and monitoring for unusual command execution or access patterns.

To detect if your system is vulnerable, you should:

  • Check the Cisco IMC software version on your devices and compare it against the fixed versions released by Cisco.
  • Review access logs for the web-based management interface for any suspicious or unauthorized command execution attempts.
  • Use Cisco security advisories and tools to verify if your devices are affected.
Mitigation Strategies

There are no workarounds available for this vulnerability. The only effective mitigation is to upgrade the Cisco IMC software to the fixed versions provided by Cisco.

Immediate mitigation steps include:

  • Identify all affected Cisco devices running vulnerable IMC versions.
  • Upgrade to the fixed software releases as recommended by Cisco, for example:
  • - Catalyst 8300 Series Edge uCPE: upgrade Cisco NFVIS to 4.18.3 or later.
  • - UCS C-Series M5 and M6 Rack Servers: upgrade Cisco IMC to 4.3(2.260007) or 4.3(6.260017) respectively.
  • - UCS E-Series M6: upgrade Cisco IMC to 4.15.3 or later.
  • - UCS S-Series Storage Servers: upgrade Cisco IMC to 4.3(6.260017) or later.
  • Follow specific upgrade procedures for Cisco appliances based on UCS C-Series Servers, often involving the Cisco Host Upgrade Utility (HUU).
  • Restrict access to the web-based management interface to trusted users only and monitor for suspicious activity until upgrades are applied.
Compliance Impact

The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20094. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart