Cisco patches max-severity Secure Firewall Management Center flaws enabling unauthenticated root access
Cisco released security updates for two maximum-severity vulnerabilities in Cisco Secure Firewall Management Center (FMC) that can be exploited remotely by unauthenticated attackers via crafted HTTP requests to the web-based management interface. The issues include an authentication bypass (CVE-2026-20079) that can lead to root access on the underlying operating system and a remote code execution flaw (CVE-2026-20131) that allows execution of arbitrary Java code as root on unpatched systems.
The Canadian Centre for Cyber Security highlighted Cisco’s advisories and urged administrators to review Cisco guidance and apply updates, noting impact to Cisco Security Cloud Control (SCC) Firewall Management and Cisco Secure FMC across versions. Cisco stated its PSIRT had no evidence of active exploitation and no public PoC at the time of publication, while also issuing fixes for additional vulnerabilities (including multiple high-severity issues) across Cisco firewall management and firewall platforms.
Timeline
Mar 25, 2026
VulnCheck publishes exploit chain analysis for CVE-2026-20079
On 2026-03-25, VulnCheck published technical analysis showing a working unauthenticated exploit chain for CVE-2026-20079 in Cisco Secure Firewall Management Center that achieved root command execution. The report described abuse of a boot-time csm_processes session, hardcoded machine-user credentials, token extraction, and CGI functionality, while noting the attack requires a recently rebooted or lightly used target.
Mar 18, 2026
Cisco warns CVE-2026-20131 is being actively exploited
On 2026-03-18, Cisco updated its advisory for CVE-2026-20131 to state that the critical Secure Firewall Management Center flaw was being exploited in the wild. This reversed Cisco’s March 4 position that no public exploitation or proof-of-concept was known.
Mar 4, 2026
Cisco updates prior SD-WAN guidance to note active exploitation
On 2026-03-04, Cisco also updated earlier guidance for two Catalyst SD-WAN Manager vulnerabilities, originally published on 2026-02-25, to state they were being exploited in the wild. This was reported alongside the March firewall advisory bundle as a separate development in Cisco's broader security updates.
Mar 4, 2026
Canadian Centre for Cyber Security issues alert on Cisco advisories
On 2026-03-04, the Canadian Centre for Cyber Security published alert AV26-197 highlighting Cisco's advisories for Security Cloud Control Firewall Management and Secure Firewall Management Center. The notice urged administrators to review Cisco guidance, follow mitigations, and apply updates as available.
Mar 4, 2026
Cisco says no active exploitation or public PoC is known
In the March 4, 2026 advisories, Cisco PSIRT stated it was not aware of public disclosure, proof-of-concept code, or in-the-wild exploitation for the two critical FMC vulnerabilities at the time of publication. Cisco also indicated there were no workarounds and urged customers to upgrade to fixed releases.
Mar 4, 2026
Cisco discloses and patches two critical Secure FMC vulnerabilities
On 2026-03-04, Cisco disclosed and released fixes for CVE-2026-20079 and CVE-2026-20131, two CVSS 10.0 vulnerabilities in Cisco Secure Firewall Management Center. Cisco said unauthenticated attackers could exploit the flaws remotely to achieve root-level access, and noted CVE-2026-20131 also affects Cisco Security Cloud Control Firewall Management.
Mar 4, 2026
Cisco publishes March 2026 firewall security advisory bundle
On 2026-03-04, Cisco published a bundled set of security advisories covering roughly 48 vulnerabilities across Secure Firewall ASA, Secure Firewall Management Center (FMC), and Secure Firewall Threat Defense (FTD). The release included fixes for two critical FMC web interface flaws and numerous additional high- and medium-severity issues.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
5 more from sources like cyberscoop, cyber security news, security week and dark reading
Related Stories
Cisco Patches Critical Firewall Management RCE Vulnerabilities
Cisco released emergency fixes for two **critical (CVSS 10.0)** vulnerabilities in its firewall management software that could allow **remote, unauthenticated attackers** to execute code and gain **root-level** access to the underlying operating system. The issues are tracked as `CVE-2026-20079` and `CVE-2026-20131`, and reporting emphasized the risk profile given Cisco’s widespread deployment in large enterprises and the historical interest of sophisticated actors in rapidly weaponizing Cisco bugs. Available reporting stated there were **no confirmed in-the-wild exploitation** reports at the time of publication, but urged rapid patching due to the combination of unauthenticated reachability and full compromise potential. Separate coverage packaged the Cisco flaws alongside other weekly security items (e.g., Tycoon2FA infrastructure takedown and other incidents), but the Cisco item consistently described the same two maximum-severity firewall management vulnerabilities and their impact (RCE leading to root access).
1 months ago
Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager
Belgium’s CCB (Safeonweb) warned of **multiple critical vulnerabilities** across several **Cisco** products—specifically calling out **Cisco Secure Firewall** (including *Adaptive Security Appliance (ASA)*, *Firepower Management Center (FMC)*, and *Firepower Threat Defense (FTD)*) and **Cisco Catalyst SD-WAN Manager**—and stated that **some vulnerabilities are being actively exploited**, urging immediate patching. The advisory lists a broad set of weakness classes including **authentication bypass** (`CWE-288`/`CWE-287`), **deserialization of untrusted data** (`CWE-502`), **buffer overflow** (`CWE-120`), **SQL injection** (`CWE-89`), and **sensitive information exposure** (`CWE-200`), and highlights multiple CVEs including **CVE-2026-20079** and **CVE-2026-20131** with **CVSS 10.0**. A separate advisory from the Center for Internet Security (CIS) also reported **multiple vulnerabilities in Cisco products** that could enable **remote code execution**, enumerating a large set of related CVEs (including **CVE-2026-20001**, **CVE-2026-20002**, **CVE-2026-20003**, and **CVE-2026-20039**). Taken together, the advisories indicate a high-risk patching priority for organizations running affected Cisco network/security management and firewall platforms, particularly where internet exposure or untrusted management-plane access could make exploitation more likely.
1 months ago
Critical Remote Code Execution and Authorization Bypass Vulnerabilities in Cisco ASA and FTD WebVPN
Multiple critical vulnerabilities have been discovered in the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) WebVPN components, which are being actively exploited in the wild. The vulnerabilities, identified as CVE-2025-20362, CVE-2025-20333, and CVE-2025-20363, allow attackers to bypass authentication and achieve remote code execution (RCE) as root on affected devices. CVE-2025-20362 is an unauthenticated authorization bypass that enables attackers to access restricted endpoints without valid credentials, serving as a key component in exploit chains. When combined with CVE-2025-20333, attackers can send malicious HTTPS requests to execute arbitrary code as root, even without prior authentication. CVE-2025-20363 is a related flaw that also enables unauthenticated RCE on ASA/FTD devices and authenticated RCE on some Cisco IOS components. These vulnerabilities affect Cisco ASA versions 9.16 through 9.23 and Cisco FTD versions 7.0 through 7.7, with specific software images requiring validation against Cisco advisories. Cisco and CISA have confirmed active exploitation and widespread scanning for these vulnerabilities, prompting CISA to issue Emergency Directive 25-03 on September 25, 2025, mandating immediate action by federal agencies. The threat actor responsible for these attacks is attributed to the same group behind the ArcaneDoor (UAT4356) state-sponsored espionage campaign first observed in 2024. Organizations are urged to patch or upgrade to Cisco’s fixed releases without delay, and to restrict or disable vulnerable devices if immediate upgrades are not possible. Compromised devices should be isolated and thoroughly investigated for signs of threat actor presence. Cisco has provided detailed guidance for detection, and CISA’s Malware Next Generation tool can be used to hunt for indicators of compromise. Security researchers, including Rapid7, have published technical analyses and exploit chains demonstrating the severity and ease of exploitation. The vulnerabilities are considered highly critical due to their unauthenticated nature and the potential for full device compromise, which could lead to further lateral movement within affected networks. The rapid response from both Cisco and CISA underscores the urgency and scale of the threat. Organizations using Cisco ASA or FTD devices should assume exposure if running affected versions and prioritize remediation. The vulnerabilities highlight the ongoing targeting of network edge devices by sophisticated threat actors, particularly those engaged in espionage. Failure to address these vulnerabilities could result in significant operational disruption and data compromise. The security community continues to monitor for new exploitation techniques and advises ongoing vigilance. The release of proof-of-concept code and active scanning increases the risk of opportunistic attacks by additional threat actors. Timely patching and adherence to Cisco and CISA recommendations are essential to mitigate risk from these critical vulnerabilities.
1 months ago