Technical Details Released for Critical Cisco SSM Command Execution Vulnerability
Security researchers have published technical details regarding a highly critical vulnerability in the Cisco Smart Software Manager On-Prem (SSM On-Prem).
Tracked as CVE-2026-20160, this flaw carries a near-maximum CVSS score of 9.8. It allows remote, unauthenticated attackers to execute commands as a root user.
With no workarounds available, organizations must apply patches immediately to secure their networks.
Cisco SSM On-Prem helps organizations manage their software licenses locally, keeping them off the public internet. Because of this, the appliance usually sits deep inside trusted internal networks.
The vulnerability stems from an internal service that was accidentally left exposed. By sending a specially crafted API request to this endpoint, an attacker can bypass all authentication checks.
Once successful, the attacker gains root-level access, meaning they have complete and total control over the underlying operating system.
Because the SSM On-Prem appliance operates within a trusted network segment and holds important deployment data, it is a high-value target for threat actors.
A successful compromise gives hackers a powerful and highly privileged foothold. From there, attackers can move laterally to other parts of the network, establish long-term persistence, and steal sensitive operational data.
Cisco has confirmed that no authentication is required to pull off this attack, making it incredibly easy for remote attackers to exploit if they can reach the system.
Affected Versions and Fixes
Cisco states that upgrading the system is the only way to fix this issue, as there are no temporary workarounds available.
- Affected versions include releases 9-202502 through 9-202510.
- The fixed software is release 9-202601 and later.
- Releases older than 9-202502 are not impacted by this flaw.
Administrators must upgrade their systems to the fixed release immediately to prevent a full system takeover.
Following Cisco’s April 1 advisory, the research team at Horizon3.ai successfully reverse-engineered the vulnerability on April 8.
They have released a NodeZero Rapid Response test, allowing security teams to safely check if their environment is exposed.
Organizations are encouraged to run this test, apply the required Cisco patch, and re-run the test to confirm the fix was entirely successful.