Cisco has issued security updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software, both of which allow unauthenticated remote attackers to gain root access to affected devices.
The two flaws carry the identifiers CVE-2026-20079 and CVE-2026-20131. The first is an authentication bypass that grants attackers root access to the underlying operating system. The second is a remote code execution (RCE) vulnerability that lets attackers run arbitrary Java code as root on unpatched systems.
How the Attacks Work
CVE-2026-20079 can be triggered by sending crafted HTTP requests to a vulnerable device. According to Cisco’s advisory, a successful exploit “could allow the attacker to execute a variety of scripts and commands that allow root access to the device.”
CVE-2026-20131 works differently. An attacker sends a crafted serialized Java object to the web-based management interface, which then executes arbitrary code and elevates the attacker’s privileges to root. Both require no authentication and can be carried out remotely.
While both flaws affect Cisco Secure FMC Software, CVE-2026-20131 also affects Cisco Security Cloud Control (SCC) Firewall Management, a cloud-based platform used to manage security policy across Cisco firewalls and other network devices.
No Active Exploitation Yet
Cisco’s Product Security Incident Response Team (PSIRT) says it has found no evidence that either vulnerability has been exploited in the wild. No proof-of-concept exploit code appears to have been published publicly at this time.
More Read
Alongside the two critical patches, Cisco also addressed 15 high-severity flaws across Secure FMC, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense software in the same update cycle.
A Pattern of Critical Flaws
This is not the first time Cisco has had to patch maximum-severity issues in the FMC product line. In August, the company fixed a separate FMC flaw that allowed unauthenticated remote attackers to inject arbitrary shell commands on unpatched devices.
The months before this disclosure have been busy for Cisco’s security teams. In January, patches went out for a maximum-severity Cisco AsyncOS zero-day that attackers had actively exploited against secure email appliances since November, as well as a critical Unified Communications RCE also used in zero-day attacks. Last month, Cisco patched a maximum-severity Catalyst SD-WAN authentication bypass that threat actors had already abused to compromise controllers and add rogue peers to targeted networks.
The cumulative picture shows consistent pressure on Cisco’s enterprise firewall and network management products, with several critical patches over a short span arriving after confirmed active exploitation.
Administrators running Cisco Secure FMC should apply the available updates immediately, given that both vulnerabilities are remotely exploitable without credentials and deliver full root-level control to a successful attacker.
Photo by Kvistholt Photography on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
