Technical details have been disclosed for a critical-severity vulnerability in the Smart Software Manager On-Prem (SSM On-Prem) product that could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root-level privileges, requiring no credentials and offering no workaround.
Tracked as CVE-2026-20160, the flaw carries a CVSS 3.1 score of 9.8, placing it among the most severe vulnerabilities Cisco has disclosed this year.
The company confirmed the issue on April 1, 2026, and states that upgrading to a fixed release is the only path to remediation.
Cisco Smart Software Manager RCE Flaw
SSM On-Prem is typically deployed within trusted, internal management networks, making it a high-value target for attackers who already have a foothold or can reach management segments.
The root cause of CVE-2026-20160 is the unintended exposure of an internal service. An attacker can craft a specially formed API request targeting this exposed endpoint and trigger arbitrary command execution as root on the underlying host, all without authenticating first.
Cisco has confirmed three critical facts about this vulnerability: no authentication is required to exploit it, exploitation yields root-level command execution, and there are no available workarounds. Patching is mandatory.
Successful exploitation allows an attacker to gain full control of the SSM On-Prem appliance since the system manages licensing and deployment metadata and operates within a trusted network zone.
A compromised instance provides a privileged internal foothold that threat actors could use for lateral movement, persistence, and access to sensitive operational data.
Affected Versions and the Fix
Organizations should immediately check which release of SSM On-Prem they are running:
- Affected: Cisco SSM On-Prem releases 9-202502 through 9-202510
- Not affected: Releases earlier than 9-202502
- Fixed: Release 9-202601 and later
Cisco’s advisory explicitly states that there is no configuration-based mitigation. The only remediation is upgrading to release 9-202601 or a later version.
Timeline of Disclosure and Research
- April 1, 2026: Cisco published its security advisory, and the CVE record was officially assigned
- April 8, 2026: Security firm Horizon3.ai announced that its research team had reverse-engineered the vulnerability and released Rapid Response coverage through its NodeZero platform
Horizon3.ai’s NodeZero platform enables organizations to safely validate whether their SSM On-Prem deployment is exploitable, allowing security teams to confirm exposure before and after patching.
Recommended Actions
Given the critical nature of CVE-2026-20160 and the absence of any workaround, security teams should treat this as an emergency patch priority:
- Identify all SSM On-Prem deployments across your environment immediately
- Apply Cisco’s fixed release (9-202601 or later) as the sole remediation
- Restrict network access to SSM On-Prem management interfaces as a defense-in-depth measure while patching is underway
- Review logs for any anomalous API requests to the SSM On-Prem service, particularly from unexpected source IPs
With no authentication barrier and a CVSS score of 9.8, CVE-2026-20160 should be treated with the same urgency as an actively exploited zero-day. Organizations running affected versions are strongly urged to patch immediately.
No Comment! Be the first one.