Description
A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin.

This vulnerability is due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user.
Published: 2026-04-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Authentication Bypass
Action: Immediate Patch
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco enterprise Nfv Infrastructure Software
Cisco unified Computing System
Cisco unified Computing System Software
Vendors & Products Cisco
Cisco enterprise Nfv Infrastructure Software
Cisco unified Computing System
Cisco unified Computing System Software

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as&nbsp;Admin. This vulnerability is due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an&nbsp;Admin user, and gain access to the system as that user.
Title Cisco Integrated Management Controller Authentication Bypass Vulnerability
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Cisco Enterprise Nfv Infrastructure Software Unified Computing System Unified Computing System Software
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-04-02T03:56:12.925Z

Reserved: 2025-10-08T11:59:15.368Z

Link: CVE-2026-20093

cve-icon Vulnrichment

Updated: 2026-04-01T18:16:05.809Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T17:28:29.027

Modified: 2026-04-03T16:11:11.357

Link: CVE-2026-20093

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T08:58:34Z

Weaknesses