High8.8Cisco Updated
Cisco Integrated Management Controller Command Injection and Remote Code Execution Vulnerabilities
cisco-sa-cimc-cmd-inj-3hKN3bVt Published Apr 22, 2026Updated by vendor Apr 22, 2026
CVE-2026-20094CVE-2026-20095CVE-2026-20096CVE-2026-20097
Affected products & platforms
CiscoUnclassified
Summary
Multiple vulnerabilities in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker to execute arbitrary code or commands on the underlying operating system of an affected system and elevate privileges to root.
Affected versions
- Scope: These vulnerabilities affect the following Cisco products if they are running a vulnerable release of Cisco IMC, regardless of device configuration: Product CVE IDs Cisco Bug IDs 5000 Series Enterprise Network Compute Systems (ENCS) CVE-2026-20095
- Release 4.15 and earlier (first fixed: 4.15.5)
- 4.16 and earlier — Migrate to a fixed release
- Release 4.18 (first fixed: 4.18.3 (Apr 2026))
- 4.2 and earlier — Migrate to a fixed release
- Release 4.3 (first fixed: 4.3(2.260007))
- 4.2 and earlier — Migrate to a fixed release
- Release 4.3 (first fixed: 4.3(6.260017))
- Release 6.0 (first fixed: 6.0(2.260044))
- Release 3.2 and earlier (first fixed: 3.2.17)
- Release 4.15 and earlier (first fixed: 4.15.3)
- 4.2 and earlier — Migrate to a fixed release
- Release 4.3 (first fixed: 4.3(6.260017))
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Fixed versions
- 4.15.5
- 4.18.3 (Apr 2026)
- 4.3(2.260007)
- 4.3(6.260017)
- 6.0(2.260044)
- 3.2.17
- 4.15.3
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Mitigation checklist
Recommended fix / mitigation
- Upgrade to the first fixed release for your train per the Fixed Releases table in this advisory.
- Release 4.15 and earlier: upgrade to 4.15.5.
- Release 4.16 and earlier: migrate to a fixed release.
- Release 4.18: upgrade to 4.18.3 (Apr 2026).
- Release 4.2 and earlier: migrate to a fixed release.
- Release 4.3: upgrade to 4.3(2.260007).
- Release 4.2 and earlier: migrate to a fixed release.
- Release 4.3: upgrade to 4.3(6.260017).
- Release 6.0: upgrade to 6.0(2.260044).
Temporary workarounds
- There are no workarounds that address these vulnerabilities.
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.