Cisco Patches Critical and High-Severity Vulnerabilities

The bugs could lead to authentication bypass, remote code execution, information disclosure, and privilege escalation.

Cisco on Wednesday announced fixes for two critical and six high-severity vulnerabilities that could be exploited for authentication bypass, remote code execution, privilege escalation, and information disclosure.

One of the critical bugs, tracked as CVE-2026-20160, impacts Cisco Smart Software Manager On-Prem (SSM On-Prem) and could allow attackers to abuse an erroneously exposed internal service to execute arbitrary commands.

“An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges,” Cisco says.

The second critical flaw is CVE-2026-20093, an authentication bypass issue rooted in the incorrect handling of password change requests.

An unauthenticated attacker could send crafted HTTP requests to a vulnerable device and modify user passwords, including those of administrators ...