Cyber Posture

CVE-2026-20094

High

Published: 01 April 2026

Published
01 April 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 63.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability in the web-based management interface of Cisco IMC could allow an authenticated, remote attacker with read-only privileges to perform command injection attacks on an affected system and execute arbitrary commands as the root user. This vulnerability is due…

more

to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending crafted commands to the web-based management interface of the affected software. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system as the root user.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the improper validation of user-supplied input in the web-based management interface, preventing command injection attacks.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of the specific command injection flaw in Cisco IMC, eliminating the vulnerability through patching.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to ensure read-only users and web interface processes cannot execute arbitrary root commands even if injection occurs.

Security SummaryAI

CVE-2026-20094 is a command injection vulnerability (CWE-77) in the web-based management interface of Cisco Integrated Management Controller (IMC). The flaw arises from improper validation of user-supplied input, enabling an authenticated remote attacker with read-only privileges to perform command injection attacks. Published on 2026-04-01, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with read-only access to the IMC web interface can exploit this vulnerability by sending crafted commands. Successful exploitation allows execution of arbitrary commands on the underlying operating system with root user privileges, potentially leading to full system compromise including high confidentiality, integrity, and availability impacts.

Mitigation details are available in the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-cmd-inj-3hKN3bVt. Security practitioners should consult this reference for patch information and workarounds applicable to affected IMC versions.

Details

CWE(s)
CWE-77

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in web management interface enables exploitation of public-facing application (T1190), privilege escalation from read-only to root (T1068), and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References