Critical Cisco Vulnerabilities: CVE-2026-20079 and CVE-2026-20131 Affecting Cisco Secure Firewall Management Center‍

Background

On March 4, 2026, Cisco published several security advisories addressing vulnerabilities across its Secure Firewall product line. Two of these are rated critical with a CVSS score of 10.0 and affect Cisco Secure Firewall Management Center (FMC). Both can be exploited remotely by unauthenticated attackers to execute code on an affected device and obtain root access to the underlying operating system. Cisco has released software updates to address these vulnerabilities. Currently there are no workarounds for either vulnerability, making patching the only path to remediation. At the time of publishing, Cisco PSIRT is not aware of any public announcements or malicious use of these vulnerabilities.

This post covers the critical vulnerabilities in detail, along with a summary of additional high-severity issues disclosed in the same advisory bundle.

Critical Vulnerabilities

CVE-2026-20079: Authentication Bypass (CVSS 10.0)

CVE-2026-20079 is an authentication bypass vulnerability (classified under CWE-288) in the web interface of Cisco Secure Firewall Management Center. According to Cisco, the flaw stems from an improper system process created at boot time. By sending crafted HTTP requests to an affected device, an attacker can exploit this process to execute scripts and commands that allow root access to the device. All on-premises FMC software releases are affected regardless of device configuration. Cloud-Delivered FMC (cdFMC) is not affected.

The CVSS vector for this vulnerability includes a scope of "Changed" (S:C), meaning successful exploitation on the FMC can compromise the security of other components such as Firewall Threat Defense (FTD) devices under its management.

No workarounds are available.

Cisco Bug ID: CSCwr96008

CVE-2026-20131: Remote Code Execution via Insecure Deserialization (CVSS 10.0)

CVE-2026-20131 is a remote code execution vulnerability (classified under CWE-502) in the web interface of Cisco Secure Firewall Management Center caused by insecure deserialization of a user-supplied Java byte stream. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted serialized Java object to the management interface of an affected device. Successful exploitation enables the attacker to execute arbitrary code on the device and elevate privileges to root. Like CVE-2026-20079, it carries a CVSS scope of "Changed," meaning exploitation of the FMC can impact managed FTD devices.

Both on-premises FMC software and Cisco Security Cloud Control (SCC) Firewall Management are affected. SCC is a SaaS-delivered offering and is upgraded by Cisco as part of maintenance, so no user action is required for SCC. Cisco notes that if the FMC management interface does not have public internet access, the attack surface is reduced.

No workarounds are available.

Cisco Bug ID: CSCwt14636

Additional High-Severity Advisories

As part of the same advisory bundle, Cisco also disclosed three SQL injection vulnerabilities in FMC and several denial of service (DOS) vulnerabilities primarily affecting Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) devices.

SQL Injection Vulnerabilities in Firewall Management Center

Cisco disclosed SQL injection vulnerabilities CVE-2026-20001, CVE-2026-20002, and CVE-2026-20003 (classified under CWE-89) in Cisco Secure Firewall Management Center software. Notably, CVE-2026-20002 has a CVSS score of 8.1. These vulnerabilities can be exploited remotely but, unlike the critical vulnerabilities above, these require the attacker to be authenticated with valid user credentials.

Successful exploitation of CVE-2026-20002 could allow an attacker to obtain full access to the database and read certain files on the underlying operating system, while exploitation of CVE-2026-20001 and CVE-2026-20003 could allow an attacker to obtain read access to the database and certain files on the system.

No workarounds are available.

Cisco Bug IDs: CSCwo65318, CSCwp22451, CSCwq01517

Other High-Severity Vulnerabilities

Cisco also disclosed several high-severity denial of service (DoS) vulnerabilities affecting Cisco ASA and FTD software:

Additionally, CVE-2026-20062 (cisco-sa-asa-scpcxt-filecpy-rgeP73nE) is a high-severity (CVSS 7.2) file access vulnerability in Cisco ASA Software. It requires multiple context mode with the Cisco SSH stack enabled, and an attacker must be local and authenticated. Exploitation allows reading or overwriting sensitive files across privilege contexts via SCP.

None of these advisories have workarounds available.

Recommendations

Immediate Actions

• Patch Critical Vulnerabilities in FMC - The two critical vulnerabilities (CVE-2026-20079 and CVE-2026-20131) are unauthenticated, network-exploitable, and have no workarounds. Use the Cisco Software Checker to determine the first fixed release for your current software version.
• Restrict access to FMC management interfaces - FMC management interfaces should not be exposed to untrusted networks or the public internet. Use firewall rules or ACLs to limit access to only trusted networks and IP addresses. Cisco notes in the CVE-2026-20131 advisory that restricting public internet access to the FMC management interface reduces the attack surface.
• Review FMC user accounts - The SQL injection vulnerabilities require authenticated access. Audit user accounts and permissions in FMC, remove unnecessary accounts, and apply the principle of least privilege. Enforce multi-factor authentication for all FMC administrative access.
• Patch High Severity Vulnerabilities in ASA/FTD - Organizations running affected software on ASA or FTD devices should review the related advisories and use the Cisco Software Checker to identify the appropriate fixed release.

Detection and Monitoring

• Audit FMC for signs of compromise - Review FMC audit logs for unexpected configuration changes, unauthorized login attempts, or unfamiliar user activity. Since both critical vulnerabilities allow root-level access, check for signs of unauthorized commands or policy modifications pushed to managed FTD devices.
• Monitor FMC logs - Centralize FMC log collection to enable correlation and alerting. Configure alerts for configuration changes to managed FTD devices that do not correspond to authorized change windows.
• Monitor Cisco's advisory pages - Cisco may update these advisories with additional details. Subscribe to Cisco security notifications for ongoing updates.

References

• Cisco Advisory for CVE-2026-20079 - FMC Authentication Bypass
• Cisco Advisory for CVE-2026-20131 - FMC Remote Code Execution
• Cisco Advisory for CVE-2026-20001/20002/20003 - FMC SQL Injection
• Cisco Advisory for ASA/FTD Remote Access SSL VPN DoS
• Cisco Advisory for ASA/FTD VPN Web Server DoS
• Cisco Advisory for ASA/FTD IKEv2 DoS
• Cisco Advisory for ASA/FTD IPsec DoS
• Cisco Advisory for ASA TCP Flood DoS
• Cisco Advisory for ASA Multiple Context SCP File Access

‍