Cisco IMC authentication bypass lets unauthenticated attackers take full admin control of servers (CVE-2026-20093)

Cisco patched a CVSS 9.8 authentication bypass in its Integrated Management Controller - the hardware-level management system built into Cisco UCS servers. An attacker sends one crafted HTTP request to the password change function and can reset any user's password, including Admin, without any credentials. Because IMC operates below the operating system on a dedicated baseboard controller with its own IP address, traditional endpoint security tools can't detect or stop it. The flaw affects dozens of Cisco product lines including APIC servers, Secure Firewall Management Center, and Cyber Vision appliances.

Check

Check if any Cisco UCS C-Series M5/M6 servers, ENCS 5000, Catalyst 8300, or UCS E-Series systems have their IMC web interface accessible from the network.

Affected

Cisco UCS C-Series M5 and M6 Rack Servers (standalone mode), 5000 Series ENCS, Catalyst 8300 Edge uCPE, UCS E-Series M3/M6, plus dozens of appliances built on preconfigured UCS C-Series including APIC, Secure Firewall Management Center, and Cyber Vision Center.

Fix

Update Cisco IMC firmware: ENCS 5000 to 4.15.5, UCS C-Series to 4.3(2.260007), 4.3(6.260017), or 6.0(1.250174) depending on track. Restrict IMC interface access to a dedicated management VLAN. Audit existing IMC user accounts for any unauthorized password changes.