← CIO Briefings Β· Critical Impact ACTION REQUIRED

Cisco Discloses Two CVSS 9.8 Vulnerabilities Affecting Enterprise Server and Licence Infrastructure

Cisco has patched two critical unauthenticated remote code execution and authentication bypass flaws in widely-deployed enterprise infrastructure. Organisations running Cisco UCS rack servers or managing software licences on-premises face complete compromise of affected systems if patches are not applied urgently.

4 min read
#NIS2#DORA#ISO-27001

What Happened

Cisco has disclosed two separate vulnerabilities, each carrying the maximum CVSS 9.8 score, affecting core enterprise infrastructure components. Both flaws allow unauthenticated attackers β€” that is, anyone on the network with access to the affected systems β€” to take complete control without requiring a valid username or password.

CVE-2026-20093 affects the Cisco Integrated Management Controller (IMC), the out-of-band management system embedded in Cisco UCS rack servers and HyperFlex nodes. IMC is the hardware-level management interface that allows administrators to control servers remotely β€” including rebooting, reimaging, and accessing the console β€” even when the operating system is down. An attacker who exploits this flaw gains the equivalent of physical access to every affected server.

CVE-2026-20160 affects Cisco Smart Software Manager On-Prem (SSM On-Prem), the system organisations use to manage Cisco software licences without sending data to Cisco’s cloud. An exposed internal service allows an unauthenticated attacker to execute arbitrary operating system commands, which in practice means full control of the licence management server and potential access to all licence credentials and connected Cisco infrastructure.

Both vulnerabilities require network access to the affected management interface. Neither requires prior authentication or user interaction.

Business Impact

The severity of these vulnerabilities is difficult to overstate. Organisations affected by CVE-2026-20093 face a scenario where attackers could:

  • Reimage every affected server, destroying data and causing extended downtime across physical infrastructure
  • Intercept remote console sessions and capture credentials being entered by administrators
  • Modify BIOS and firmware settings in ways that survive OS reinstallation
  • Establish persistent, OS-independent backdoors on production servers

For CVE-2026-20160, the immediate risk is to licence management infrastructure, but the downstream exposure extends to any Cisco infrastructure managed through SSM On-Prem. Organisations in regulated sectors should note that a compromise of these systems could constitute a notifiable breach under applicable legislation, regardless of whether sensitive personal data was involved.

The financial exposure depends on the scale of Cisco infrastructure deployed. For organisations running large Cisco UCS estates β€” common in financial services, healthcare, and manufacturing β€” the cost of a successful attack could run into millions in recovery, lost production, and regulatory response.

Regulatory Implications

NIS2 Directive (EU): Operators of essential and important entities are required to apply patches for critical vulnerabilities without undue delay and to assess network exposure of critical management interfaces. Failure to patch these vulnerabilities, if exploitation occurs, is likely to constitute a reportable incident within 24 hours of detection.

DORA (EU Financial Sector): Financial entities must maintain ICT risk management frameworks that address known critical vulnerabilities. The exposure of server management interfaces to networks accessible by unauthorised parties would be considered a configuration deficiency under DORA’s ICT risk management requirements.

ISO 27001: Annex A.8.8 (Management of technical vulnerabilities) requires timely identification and remediation. A CVSS 9.8 vulnerability in production server infrastructure triggers the highest response obligation under most organisations’ vulnerability management policies.

Board-Ready Summary

  • Cisco has disclosed two separate vulnerabilities rated at maximum severity (9.8/10) that allow any attacker with network access to take complete, unauthenticated control of Cisco server hardware and licence management systems.
  • No exploitation has been confirmed in the wild at time of publication, but the unauthenticated nature of both attacks means weaponised tools are likely in development β€” the window to patch before active attacks begin is measured in days to weeks, not months.
  • Organisations must apply Cisco’s firmware and software patches immediately, and restrict management interfaces to dedicated out-of-band network segments accessible only by authorised administrators.

  1. Identify exposure within 24 hours. Determine which Cisco UCS rack servers, HyperFlex nodes, and SSM On-Prem installations are in your environment. Assess whether their management interfaces (IMC and SSM) are accessible from networks beyond the dedicated management VLAN.

  2. Restrict access now, before patching. If patching cannot begin immediately, isolate IMC and SSM On-Prem management interfaces from corporate and production networks at the firewall/ACL level. Access should be limited to a dedicated out-of-band management network reachable only from authorised jump hosts.

  3. Apply patches on an emergency schedule. Cisco UCS IMC firmware patches and SSM On-Prem version 9-202601 are available. Treat this as a P1 patching event β€” these vulnerabilities warrant the same urgency as zero-days with confirmed active exploitation.

  4. Brief your CISO and incident response team. If your organisation has regulatory reporting obligations, ensure your incident response team is aware of the exposure and has a confirmed patch timeline documented. This is relevant to NIS2, DORA, and sector-specific regulators.

  5. Audit IMC and SSM access logs post-patching. After patching, review management interface access logs for signs of unauthorised access. If anomalies are found, treat as a confirmed incident.