Cisco has released emergency patches for a critical authentication bypass vulnerability in its Integrated Management Controller (IMC) that scores a near-perfect 9.8 out of 10 on the CVSS severity scale. The flaw, tracked as CVE-2026-20093, lets an unauthenticated attacker send a single crafted HTTP request to take over any user account on the system — including the administrator, as reported by BleepingComputer. Cisco also patched a separate critical remote code execution bug (CVE-2026-20160) in its Smart Software Manager On-Prem the same week.

For wealth management firms, this one matters. Cisco UCS servers and network appliances are common in financial services environments, particularly for running client portals, secure communications platforms, and compliance infrastructure. An attacker who gains admin access to your server management interface can pivot deep into your network — exactly the kind of breach that triggers mandatory OAIC notification and potentially the new statutory tort for serious privacy invasions that came into force under the amended Privacy Act. The affected product list is broad: UCS C-Series and E-Series servers, plus any Cisco appliance built on those platforms, including firewalls and security analytics boxes.

There are no workarounds for this one. If your organisation runs any Cisco UCS infrastructure or appliances with IMC exposed, get your IT provider to apply the patch immediately. Cisco says there is no evidence of active exploitation yet, but a 9.8-rated auth bypass with a simple HTTP exploit is the kind of thing that gets weaponised fast.

If you are not sure whether your environment includes affected Cisco gear, All IT Services can audit your infrastructure and ensure critical patches are applied promptly. For wealth management clients, we also offer ongoing cybersecurity monitoring that catches these advisories before they become incidents.