CVE-2026-20151: Privilege Escalation via Improper Credential Exposure in Cisco SSM On-Prem
CVE-2026-20151 Published on April 1, 2026

Cisco Smart Software Manager On-Prem Privilege Escalation Vulnerability
A vulnerability in the web interface of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to the improper transmission of sensitive user information. An attacker could exploit this vulnerability by sending a crafted message to an affected Cisco SSM On-Prem host and retrieving session credentials from subsequent status messages. A successful exploit could allow the attacker to elevate privileges on the affected system from low to administrative. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of System User. Note: This vulnerability exposes information only about users who logged in to the Cisco SSM On-Prem host using the web interface and who are currently logged in. SSH sessions are not affected.

NVD

Vulnerability Analysis

CVE-2026-20151 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

NONE

Weakness Type

Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as internal file system structure).

Products Associated with CVE-2026-20151

Want to know whenever a new CVE is published for Cisco Smart Software Manager On Prem? stack.watch will email you.

Cisco Smart Software Manager On Prem

Affected Versions

Cisco Smart Software Manager On-Prem:

Version 7-202001 is affected.
Version 8-202004 is affected.
Version 8-202006 is affected.
Version 8-202012 is affected.
Version 8-202010 is affected.
Version 8-202008 is affected.
Version 9-202201 is affected.
Version 8-202102 is affected.
Version 8-202105 is affected.
Version 8-202108 is affected.
Version 8-202112 is affected.
Version 8-202201 is affected.
Version 8-202206 is affected.
Version 8-202212 is affected.
Version 8-202302 is affected.
Version 8-202303 is affected.
Version 8-202304 is affected.
Version 8-202308 is affected.
Version 8-202401 is affected.
Version 8-202404 is affected.
Version 9-202406 is affected.
Version 9-202407 is affected.
Version 9-202410 is affected.
Version 9-202412 is affected.
Version 9-202501 is affected.
Version 9-202502 is affected.
Version 9-202504 is affected.
Version 9-202507 is affected.
Version 9-202510 is affected.

Exploit Probability

EPSS

0.04%

Percentile

13.06%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.