CVE-2026-20090

Vulnerability

Overview

CVE-2026-20090 is a stored cross-site scripting (XSS) vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) of multiple Cisco products, including 5000 Series ENCS, Catalyst 8300 Series Edge uCPE, UCS C-Series M5/M6 rack servers, and UCS E-Series servers [1]. The vulnerability arises from insufficient validation of user-supplied input, allowing an authenticated attacker with administrative privileges to inject malicious script into the interface [1].

Exploitation

Conditions

To exploit this vulnerability, an attacker must first authenticate to the Cisco IMC web interface with administrative credentials. The attacker then injects malicious script into a stored field (e.g., a configuration parameter). The exploit is triggered when a different user (or the same user) accesses the affected interface and clicks a crafted link, which causes the injected script to execute in the context of the victim's browser session [1]. No additional network access beyond the management interface is required, but the attacker must have admin privilege requirement limits the attack surface to already-trusted users.

Impact

Successful exploitation allows the attacker to execute arbitrary script code in the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive browser-based information such as cookies or authentication tokens [1]. Because the attacker is already an admin, the primary risk is lateral movement or privilege escalation within the management interface's user sessions.

Mitigation

Cisco has released software updates that address this vulnerability. There are no workarounds available [1]. Administrators should upgrade to the latest fixed version of Cisco IMC for their respective platforms. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.