CVE-2026-20160

Cisco Smart Software Manager On-Prem Arbitrary Command Execution Vulnerability

Assigner: cisco
Reserved: 08.10.2025 Published: 01.04.2026 Updated: 02.04.2026

A vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected SSM On-Prem host.

This vulnerability is due to the unintentional exposure of an internal service. An attacker could exploit this vulnerability by sending a crafted request to the API of the exposed service. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Cisco
Product	Cisco Smart Software Manager On-Prem
Versions	Default: unknown Version 9-202502 is affected Version 9-202504 is affected Version 9-202507 is affected Version 9-202510 is affected

Vendor

Cisco

Product

Cisco Smart Software Manager On-Prem

Versions

Default: unknown

Version 9-202502 is affected
Version 9-202504 is affected
Version 9-202507 is affected
Version 9-202510 is affected

Exploits

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

References

Problem Types