CVE-2026-20096
Command Injection in Cisco IMC Web Interface Allows Root Access
Publication date: 2026-04-01
Last updated on: 2026-04-01
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | imc | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the web-based management interface of Cisco IMC. It allows an authenticated remote attacker who already has admin-level privileges to perform command injection attacks. By exploiting improper validation of user-supplied input, the attacker can send specially crafted commands to the interface, which are then executed as arbitrary commands on the underlying operating system with root user privileges.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to execute arbitrary commands on the affected system as the root user. This means the attacker could gain full control over the system, potentially leading to unauthorized access, data manipulation, disruption of services, or further compromise of the network environment.