Critical Cisco IMC auth bypass gives attackers Admin access Severity: CRITICAL (CVE-2026-20093) CVSS Score : 9.8
Critical Cisco IMC auth bypass gives attackers Admin access Severity: CRITICAL (CVE-2026-20093) CVSS Score : 9.8
Critical Cisco IMC auth bypass gives attackers Admin access
Severity: CRITICAL (CVE-2026-20093)
CVSS Score : 9.8
Information
Cisco IMC (Cisco Integrated Management Controller) is a hardware module embedded on the motherboard of Cisco servers that provides out-of-band management (even if the operating system is powered off or crashed) for UCS C-Series and E-Series servers via multiple interfaces, including XML API, web (WebUI), and command-line (CLI).
Incident
Cisco has released security updates to address several critical and high-severity vulnerabilities, including an Integrated Management Controller (IMC) authentication bypass that allows attackers to gain Admin access.
Tracked as CVE-2026-20093, the vulnerability was found in the Cisco IMC password change functionality and can be remotely exploited by unauthenticated attackers to bypass authentication and access unpatched systems with Admin privileges.
This vulnerability is due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device.
A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user.
Affected Products
This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IMC.
- 5000 Series Enterprise Network Compute Systems (ENCS) (CSCwq55648)
- Catalyst 8300 Series Edge uCPE (CSCwq68912)
- UCS C-Series M5 and M6 Rack Servers in standalone mode (CSCwq55659)
- UCS E-Series Servers M3 (CSCwq55648)
- UCS E-Series Servers M6 (CSCwq68912)
Recommendation
- 5000 Series Enterprise Network Compute Systems (ENCS) - Fixed in 4.15.5
- Catalyst 8300 Series Edge uCPE - Fixed in 4.18.3
- UCS C-Series M5 and M6 Rack Servers in standalone mode - Fixed in 4.3(2.260007), 4.3(6.260017), and 6.0(1.250174)
- UCS E-Series Servers M3 - Fixed in 3.2.17
- UCS E-Series Servers M6 - Fixed in 4.15.3
References
- https://www.bleepingcomputer.com/news/security/critical-cisco-imc-auth-bypass-gives-attackers-admin-access/
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn
- https://thehackernews.com/2026/04/cisco-patches-98-cvss-imc-and-ssm-flaws.html
- https://www.cisco.com/site/us/en/products/computing/servers-unified-computing-systems/ucs-integrated-management-controller-cimc/index.html?utm_source=chatgpt.com
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2026-2370 |
29/03/2026 |
29/03/2026 |
GitLab versions 14.3 before 18.8.7 |
Broken Access Control |
8.1 |
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks. |
Update to version 18.8.7 ,18.9.3 ,18.10.1 |
https://app.opencve.io/cve/CVE-2026-2370
|
| 2 |
CVE-2026-25724 |
29/03/2026 |
29/03/2026 |
Claude Code before 2.1.7 |
Local File Inclusion |
7.5 |
Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7. |
Update to version 2.1.7 |
https://app.opencve.io/cve/CVE-2026-25724
|
| 3 |
CVE-2026-5044 |
29/03/2026 |
29/03/2026 |
Router Belkin F9K1122 versions1.00.33 |
Remote Code Execution (RCE) |
7.4 |
A security vulnerability has been detected in Belkin F9K1122 1.00.33. This affects the function formSetSystemSettings of the file /goform/formSetSystemSettings of the component Setting Handler. Such manipulation of the argument webpage leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
Update to version |
|
| 4 |
CVE-2026-5170 |
30/03/2026 |
30/03/2026 |
MongoDB Server v8.2 – before 8.2.2 |
Denial of Service |
6 |
A user with access to the cluster with a limited set of privilege actions can trigger a crash of a mongod process during the limited and unpredictable window when the cluster is being promoted from a replica set to a sharded cluster. This may cause a denial of service by taking down the primary of the replica set. This issue affects MongoDB Server v8.2 versions prior to 8.2.2, MongoDB Server v8.0 versions between 8.0.18, MongoDB Server v7.0 versions between 7.0.31. |
Update to version |
https://nvd.nist.gov/vuln/detail/CVE-2026-5170
|
| 5 |
CVE-2026-34085 |
25/03/2026 |
27/03/2026 |
Fontconfig before 2.17.1 |
one-byte out-of-bounds write |
5.7 |
fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c. |
Update to version |
https://app.opencve.io/cve/CVE-2026-5045
|
Malware News or Campaign IOC/IOA | EN
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware |
27/03/2026 |
Ransomware |
A pro‑Ukrainian hacker group called Bearlyfy has attacked more than 70 companies in Russia using a custom‑built ransomware named GenieLocker. The campaign aimed both to extort money and to disrupt business operations. Initially, the group targeted small companies before expanding to larger organizations, demanding ransoms of up to €80,000 (about $92,100 USD).Bearlyfy first appeared in 2025, using encryption tools linked to LockBit 3 and Babuk, before developing its own ransomware. This incident highlights how ransomware can serve not only as a financial weapon but also as a political tool to damage Russian businesses.The impact has been severe: many Russian companies suffered financial losses and operational disruption. The attacks also underscore the broader risk that organizations worldwide may face from similar techniques. |
|
Ref: https://thehackernews.com/2026/03/bearlyfy-hits-70-russian-firms-with.html
09 April 2026
Viewed 32 time
