CVE-2026-20095 - Vulnerability Details

- Cisco Integrated Management Controller Command Injection Vulnerability

Description

A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with admin-level privileges to perform command injection attacks on an affected system and execute arbitrary commands as the root user.

This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system as the root user. Cisco has assigned this vulnerability a Security Impact Rating (SIR) of High, rather than Medium as the score indicates, because additional security implications could occur once the attacker has become root.

Published: 2026-04-01

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the web‑based management interface of Cisco Integrated Management Controller allows an authenticated remote attacker with administrative privileges to inject and execute arbitrary commands as the system’s root user. The vulnerability arises from improper validation of user supplied input, enabling command injection that can compromise system confidentiality, integrity, and availability.

Affected Systems

Affected vendors include Cisco Enterprise NFV Infrastructure Software, Cisco Unified Computing System (Standalone), and Cisco Unified Computing System E‑Series Software. Specific product versions are not listed in the advisory, so any release of these products may be impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 6.5 reflects the severity of this remote code execution risk. The EPSS score is not available, and the vulnerability is not in the CISA KEV catalog. Exploitation requires network access to the web interface and valid administrator credentials, after which the attacker can run shell commands with root privileges, potentially leading to full system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco Enterprise NFV Infrastructure Software

unknown

Version	Status	Constraints
`4.1.1`	affected	—
`3.9.1`	affected	—
`3.5.2`	affected	—
`3.12.2`	affected	—
`3.6.2`	affected	—
`3.9.2`	affected	—
`3.11.3`	affected	—
`3.11.1`	affected	—
`3.5.1`	affected	—
`3.3.1`	affected	—
`3.10.2`	affected	—
`3.12.1b`	affected	—
`3.4.1`	affected	—
`3.12.1a`	affected	—
`3.6.3`	affected	—
`3.8.1`	affected	—
`3.11.2`	affected	—
`3.12.1`	affected	—
`3.12.3`	affected	—
`3.10.1`	affected	—
`3.6.1`	affected	—
`3.10.3`	affected	—
`3.7.1`	affected	—
`4.1.2`	affected	—
`4.2.1`	affected	—
`4.2.2`	affected	—
`4.4.1`	affected	—
`4.4.2`	affected	—
`4.5.1`	affected	—
`4.4.3`	affected	—
`4.6.1`	affected	—
`4.7.1`	affected	—
`4.6.2-FC2`	affected	—
`4.6.2-FC3`	affected	—
`4.6.2`	affected	—
`4.8.1`	affected	—
`4.8.2`	affected	—
`4.9.1`	affected	—
`4.6.3`	affected	—
`4.9.2-FC5`	affected	—
`4.9.2`	affected	—
`4.10.1`	affected	—
`4.9.3`	affected	—
`4.11.1`	affected	—
`4.9.4`	affected	—
`4.12.1`	affected	—
`4.6.4`	affected	—
`4.12.2`	affected	—
`4.13.1`	affected	—
`4.9.4-ES8`	affected	—
`4.9.5`	affected	—
`4.12.3`	affected	—
`4.6.5-ES1`	affected	—
`4.9.4-ES9`	affected	—
`4.14.1`	affected	—
`4.6.3-FC4`	affected	—
`4.9.4-FC3`	affected	—
`4.12.4`	affected	—
`4.15.1`	affected	—
`4.9.6`	affected	—
`4.16.1`	affected	—
`4.15.2`	affected	—
`4.12.5`	affected	—
`4.15.3`	affected	—
`4.15.4`	affected	—
`4.18.1`	affected	—
`4.12.6`	affected	—
`4.18.2`	affected	—
`4.18.2a`	affected	—

Cisco

Cisco Unified Computing System (Standalone)

unknown

Version	Status	Constraints
`4.0(2g)`	affected	—
`3.1(2i)`	affected	—
`3.1(1d)`	affected	—
`4.0(4i)`	affected	—
`4.1(1c)`	affected	—
`4.0(2c)`	affected	—
`4.0(1e)`	affected	—
`4.0(2h)`	affected	—
`4.0(4h)`	affected	—
`4.0(1h)`	affected	—
`4.0(2l)`	affected	—
`3.1(3g)`	affected	—
`4.0(1.240)`	affected	—
`4.0(2f)`	affected	—
`4.0(1g)`	affected	—
`4.0(2i)`	affected	—
`3.1(3i)`	affected	—
`4.0(4d)`	affected	—
`4.1(1d)`	affected	—
`3.1(3c)`	affected	—
`4.0(4k)`	affected	—
`3.1(2d)`	affected	—
`3.1(3a)`	affected	—
`3.1(3j)`	affected	—
`4.0(2d)`	affected	—
`4.1(1f)`	affected	—
`4.0(4j)`	affected	—
`4.0(2m)`	affected	—
`4.0(2k)`	affected	—
`4.0(1c)`	affected	—
`4.0(4f)`	affected	—
`4.0(4c)`	affected	—
`3.1(3d)`	affected	—
`3.1(2g)`	affected	—
`3.1(2c)`	affected	—
`4.0(1d)`	affected	—
`3.1(2e)`	affected	—
`4.0(1a)`	affected	—
`4.0(1b)`	affected	—
`3.1(3b)`	affected	—
`4.0(4b)`	affected	—
`3.1(2b)`	affected	—
`4.0(4e)`	affected	—
`3.1(3h)`	affected	—
`4.0(4l)`	affected	—
`4.1(1g)`	affected	—
`4.1(2a)`	affected	—
`4.0(2n)`	affected	—
`4.1(1h)`	affected	—
`3.1(3k)`	affected	—
`4.1(2b)`	affected	—
`4.0(2o)`	affected	—
`4.0(4m)`	affected	—
`4.1(2d)`	affected	—
`4.1(3b)`	affected	—
`4.0(2p)`	affected	—
`4.1(2e)`	affected	—
`4.1(2f)`	affected	—
`4.0(4n)`	affected	—
`4.0(2q)`	affected	—
`4.1(3c)`	affected	—
`4.0(2r)`	affected	—
`4.1(3d)`	affected	—
`4.1(2g)`	affected	—
`4.1(2h)`	affected	—
`4.1(3g)`	affected	—
`4.1(3f)`	affected	—
`4.1(2j)`	affected	—
`4.1(2k)`	affected	—
`4.1(3h)`	affected	—
`4.2(2a)`	affected	—
`4.1(3i)`	affected	—
`4.2(2f)`	affected	—
`4.2(2g)`	affected	—
`4.2(3b)`	affected	—
`4.1(3l)`	affected	—
`4.2(3d)`	affected	—
`4.3(1.230097)`	affected	—
`4.2(1e)`	affected	—
`4.2(1b)`	affected	—
`4.2(1j)`	affected	—
`4.2(1i)`	affected	—
`4.2(1f)`	affected	—
`4.2(1a)`	affected	—
`4.2(1c)`	affected	—
`4.2(1g)`	affected	—
`4.3(1.230124)`	affected	—
`4.1(2l)`	affected	—
`4.2(3e)`	affected	—
`4.3(1.230138)`	affected	—
`4.2(3g)`	affected	—
`4.3(2.230207)`	affected	—
`4.2(3h)`	affected	—
`4.2(3i)`	affected	—
`4.3(2.230270)`	affected	—
`4.1(3m)`	affected	—
`4.1(2m)`	affected	—
`4.3(2.240002)`	affected	—
`4.3(3.240022)`	affected	—
`4.2(3j)`	affected	—
`4.1(3n)`	affected	—
`4.3(2.240009)`	affected	—
`4.3(3.240041)`	affected	—
`4.2(3k)`	affected	—
`4.3(3.240043)`	affected	—
`4.3(4.240142)`	affected	—
`4.3(2.240037)`	affected	—
`4.3(2.240053)`	affected	—
`4.3(4.240152)`	affected	—
`4.2(3l)`	affected	—
`4.3(2.240077)`	affected	—
`4.3(4.242028)`	affected	—
`4.3(4.241063)`	affected	—
`4.3(4.242038)`	affected	—
`4.2(3m)`	affected	—
`4.3(2.240090)`	affected	—
`4.3(5.240021)`	affected	—
`4.3(2.240107)`	affected	—
`4.3(4.242066)`	affected	—
`4.2(3n)`	affected	—
`4.3(5.250001)`	affected	—
`4.2(3o)`	affected	—
`4.3(2.250016)`	affected	—
`4.3(2.250021)`	affected	—
`4.3(5.250030)`	affected	—
`4.3(2.250022)`	affected	—
`4.3(6.250039)`	affected	—
`4.3(6.250040)`	affected	—
`4.3(5.250033)`	affected	—
`4.3(6.250044)`	affected	—
`4.3(6.250053)`	affected	—
`4.3(2.250037)`	affected	—
`4.3(2.250045)`	affected	—
`4.3(4.252001)`	affected	—
`4.3(4.252002)`	affected	—
`6.0(1.250127)`	affected	—
`4.2(3p)`	affected	—
`6.0(1.250131)`	affected	—
`4.3(6.250101)`	affected	—
`6.0(1.250174)`	affected	—
`4.3(6.250117)`	affected	—
`4.3(5.250043)`	affected	—
`4.3(5.250045)`	affected	—
`4.3(6.250060)`	affected	—
`6.0(1.250130)`	affected	—
`4.3(4.241014)`	affected	—
`4.3(2.250063)`	affected	—
`6.0(1.250192)`	affected	—
`4.3(6.260003)`	affected	—
`6.0(1.250194)`	affected	—

Cisco

Cisco Unified Computing System E-Series Software (UCSE)

unknown

Version	Status	Constraints
`3.2.7`	affected	—
`3.2.6`	affected	—
`3.2.4`	affected	—
`3.2.10`	affected	—
`3.2.2`	affected	—
`3.2.3`	affected	—
`2.4.0`	affected	—
`3.2.1`	affected	—
`3.2.11.1`	affected	—
`3.2.8`	affected	—
`3.1.1`	affected	—
`3.0.2`	affected	—
`2.1.0`	affected	—
`2.2.2`	affected	—
`3.1.2`	affected	—
`3.0.1`	affected	—
`2.3.2`	affected	—
`2.3.5`	affected	—
`2.2.1`	affected	—
`3.1.4`	affected	—
`2.4.1`	affected	—
`2.3.1`	affected	—
`3.1.3`	affected	—
`2.3.3`	affected	—
`2.4.2`	affected	—
`3.1.5`	affected	—
`3.1.0`	affected	—
`2.0.0`	affected	—
`3.2.11.3`	affected	—
`3.2.11.5`	affected	—
`3.2.12.2`	affected	—
`3.2.13.6`	affected	—
`3.2.14`	affected	—
`4.11.1`	affected	—
`3.2.15`	affected	—
`4.12.1`	affected	—
`3.2.15.3`	affected	—
`4.12.2`	affected	—
`3.2.16.1`	affected	—
`4.00`	affected	—
`4.15.2`	affected	—
`4.02`	affected	—

No data.

Vendor Product Confidence Versions

Cisco

Enterprise Nfv Infrastructure Software

94%

Version	Status	Scheme	Platform
`4.1.1`	affected	semver	—

Cisco

Unified Computing System

100%

Version	Status	Scheme	Platform
`4.0(2g)`	affected	semver	—

Cisco

Unified Computing System Software

100%

Version	Status	Scheme	Platform
`3.2.7`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Cisco security advisory update that addresses the command injection vulnerability.
Verify that the patch has been deployed on all affected systems.
Restrict remote administrative access to trusted networks or VPNs.
Enforce strong authentication and limit administrative privileges to the minimum necessary.

Generated by OpenCVE AI on April 2, 2026 at 02:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00087.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-3hKN3bVt

History

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco enterprise Nfv Infrastructure Software Cisco unified Computing System Cisco unified Computing System Software
Vendors & Products		Cisco Cisco enterprise Nfv Infrastructure Software Cisco unified Computing System Cisco unified Computing System Software

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with admin-level privileges to perform command injection attacks on an affected system and execute arbitrary commands as the root user. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system as the root user. Cisco has assigned this vulnerability a Security Impact Rating (SIR) of High, rather than Medium as the score indicates, because additional security implications could occur once the attacker has become root.
Title		Cisco Integrated Management Controller Command Injection Vulnerability
Weaknesses		CWE-77
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-3hKN3bVt
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Cisco Enterprise Nfv Infrastructure Software Unified Computing System Unified Computing System Software

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-04-01T16:28:47.898Z

Updated: 2026-04-22T19:09:41.775Z

Reserved: 2025-10-08T11:59:15.369Z

Link: CVE-2026-20095

Vulnrichment

Updated: 2026-04-01T18:16:40.974Z

NVD

Status : Awaiting Analysis

Published: 2026-04-01T17:28:29.670

Modified: 2026-04-03T16:11:11.357

Link: CVE-2026-20095

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T08:58:33Z

Weaknesses

CWE-77

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object