Cisco disclosed two independent CVSS 9.8 critical vulnerabilities: CVE-2026-20093, a missing authentication flaw in Integrated Management Controller (IMC) enabling unauthenticated remote password manipulation and hardware-level control bypass across UCS C-Series M5/M6, UCS E-Series M3/M6, 5000 Series ENCS, and Catalyst 8300 Edge uCPE; and CVE-2026-20160, an exposed unauthenticated internal API in Smart Software Manager On-Prem enabling root-level command execution. Neither is currently on CISA KEV and EPSS scores are low, but CVSS 9.8 unauthenticated flaws on management infrastructure warrant sub-72-hour patch windows. Immediately restrict management interface and SSM On-Prem API access to trusted management networks and apply Cisco-issued patches per the official Security Advisory portal; all technical claims should be validated against official Cisco advisories before operational action.