CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-20160

CVSS 9.8v3.1pub. 2026-04-01upd. 2026-07-01

A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host. This vulnerability is due to the unintentional exposure of an internal service. An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.

🤖 AI Analysis
How it works

The vulnerability results from unintended exposure of an internal SSM On-Prem service (CWE-668 — exposure of resource to wrong recipient). Attacker can send a specially crafted request to the API of this unintentionally exposed service. Successful exploitation of the vulnerability allows execution of arbitrary system commands with root privilege level on the host device.

Impact

Attacker gains full control over the host operating system with root privileges, enabling data reading and modification, installation of malicious software, and further lateral movement in the network. The consequence may be complete takeover of Cisco license management infrastructure.

Mitigation & patch

Apply patches available from the vendor according to references — detailed information about patched versions is available in the Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ssm-cli-execution-cHUcWuNr. Until the patch is deployed, consider restricting network access to the SSM On-Prem API interface exclusively to trusted hosts.

Who is affected

Cisco Smart Software Manager On-Prem (SSM On-Prem) — specific versions indicated in vendor references (Cisco Security Advisory cisco-sa-ssm-cli-execution-cHUcWuNr)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Cisco Smart Software Manager On Prem

    APP
    Cisco
    9-202502 – 9-202601 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2024-20419CRITICAL10.0PL ✓ten sam produkt

Cisco SSM On-Prem: nieuwierzytelniona zmiana hasła dowolnego użytkownika

CVE-2020-3158CRITICAL9.1ten sam produkt

A vulnerability in the High Availability (HA) service of Cisco Smart Software Manager On-Prem could allow an u...

CVE-2019-16029CRITICAL9.1ten sam produkt

A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could a...

CVE-2022-20808HIGH7.7ten sam produkt

A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote att...

CVE-2021-1219HIGH7.8ten sam produkt

A vulnerability in Cisco Smart Software Manager Satellite could allow an authenticated, local attacker to acce...