Cyber Threat Brief — April 3 2026
⚠️ This report is AI-generated. Always validate findings.
1. Cisco IMC Auth Bypass + SSM On-Prem RCE — CVE-2026-20093 / CVE-2026-20160
TL;DR: Two CVSS 9.8 pre-auth flaws in Cisco infrastructure management: IMC password-overwrite bypass affecting UCS servers and ENCS, plus SSM On-Prem root-level RCE via exposed internal service. No ITW exploitation yet, but pre-auth 9.8 on out-of-band management planes = patch now.
What’s New:
- CVE-2026-20093: incorrect handling of password change requests in Cisco IMC lets unauthenticated attacker send crafted HTTP request to overwrite any user password (including Admin), gaining full control of server management plane
- CVE-2026-20160: unintentional exposure of internal inter-component service in SSM On-Prem allows unauthenticated attacker to execute arbitrary OS commands as root
- Affected: Cisco UCS C-Series M5/M6 Rack Servers (standalone), 5000 Series ENCS (IMC); SSM On-Prem releases 9-202502 through 9-202510
- Patches released April 1-2, 2026: IMC via firmware update, SSM On-Prem fixed in 9-202601
- No PoC or ITW exploitation reported yet, but Cisco IMC interfaces are routinely internet-exposed per Shodan
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| HTTP requests to IMC password change API | Exploit trigger | T1190 | Cisco IMC audit logs, web proxy | Hunt for unauthenticated POST requests to IMC management interface password endpoints |
| Unexpected admin password reset events | Post-exploit indicator | T1098 | Cisco IMC audit logs | Alert on admin password changes outside change windows |
| SSM On-Prem internal service API (exposed) | Exploit trigger | T1190 | Network traffic, SSM logs | Audit SSM network exposure; restrict to management VLAN |
| Root-level process spawning from SSM service | Post-exploit behavior | T1059.004 | Sysmon (if applicable), process logs | Alert on SSM service spawning shell processes |
| Cisco IMC on TCP/443 (HTTPS management) | Attack surface | T1190 | Shodan, firewall logs | Audit internet-facing IMC instances; block external access |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None specific | Need: Cisco IMC admin password change anomaly detection; SSM On-Prem service command execution monitoring |
| Elastic | None specific | Gap: No Cisco IMC/SSM-specific detection rules |
| Sigma | None specific | Gap: No rules for Cisco IMC password bypass or SSM service exposure |
Sources: Cisco Advisory · The Hacker News · SecurityOnline · GB Hackers
2. nginx-ui Unauthenticated MCP Endpoint Takeover — CVE-2026-33032
TL;DR: CVSS 9.8 unauthenticated RCE in nginx-ui via exposed /mcp_message endpoint — default empty IP whitelist means allow-all. Public PoC available, no patch yet. Attackers can restart Nginx, modify configs, and execute commands.
What’s New:
- Two HTTP endpoints exposed:
/mcp(properly authenticated) and/mcp_message(IP whitelist only — empty whitelist = allow all by default) - Unauthenticated attacker can invoke all MCP tools: restart Nginx, create/modify/delete configuration files, achieve full service control leading to RCE
- Companion CVE-2026-33026 (CVSS 9.4): backup restore tampering — AES key/IV sent to client, attacker can decrypt backup, inject
StartCmd = bashinto app.ini, re-encrypt and restore for command execution - CVE-2026-33032: no patch available (affects ≤v2.3.5); CVE-2026-33026: patched in v2.3.4
- Public PoC exploit disclosed for both vulnerabilities
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
GET/POST /mcp_message | Exploit endpoint | T1190 | Web server access logs, WAF | Block external access to /mcp_message and /mcp endpoints; alert on any requests |
GET/POST /mcp | Authenticated endpoint | T1190 | Web server access logs | Monitor for unauthorized access attempts |
| Nginx config file modifications | Post-exploit indicator | T1565.001 | File integrity monitoring, auditd | Alert on unexpected changes to nginx configuration files |
StartCmd = bash in app.ini | Persistence/RCE payload | T1059.004 | File integrity monitoring | Monitor app.ini for injection of shell commands |
| Backup restore API calls | Exploit vector (CVE-2026-33026) | T1190 | nginx-ui application logs | Alert on backup restore operations from unexpected sources |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None specific | Need: Web request monitoring for /mcp_message endpoint; nginx config file change detection |
| Elastic | None specific | Gap: No nginx-ui specific rules |
| Sigma | web_access_suspicious_path.yml (generic, partial) | Gap: No specific nginx-ui MCP endpoint rules |
Sources: SecurityOnline · CyberSecurityNews · Endor Labs · GitLab Advisory
Status Updates
- CVE-2026-3055 (Citrix NetScaler): Federal CISA KEV deadline passed April 2; active exploitation ongoing via Metasploit module; no new IOCs. Original brief.
- CVE-2026-4681 (PTC Windchill): Still no vendor patch; imminent exploitation threat persists; German police physically warning organizations. Original brief.
- CVE-2026-5281 (Chrome Dawn): CISA KEV deadline April 15; no new attribution or IOCs since April 2 coverage. Original brief.
- CVE-2025-53521 (F5 BIG-IP): UNC5221 BRICKSTORM exploitation ongoing; federal deadline passed March 30. Original brief.
- CVE-2026-20131 (Cisco FMC): Interlock ransomware exploitation ongoing; no new artifacts. Original brief.