Cisco patches max-severity Secure Firewall Management Center flaws enabling unauthenticated root access
Cisco released security updates for two maximum-severity vulnerabilities in Cisco Secure Firewall Management Center (FMC) that can be exploited remotely by unauthenticated attackers via crafted HTTP requests to the web-based management interface. The issues include an authentication bypass (CVE-2026-20079) that can lead to root access on the underlying operating system and a remote code execution flaw (CVE-2026-20131) that allows execution of arbitrary Java code as root on unpatched systems.
The Canadian Centre for Cyber Security highlighted Cisco’s advisories and urged administrators to review Cisco guidance and apply updates, noting impact to Cisco Security Cloud Control (SCC) Firewall Management and Cisco Secure FMC across versions. Cisco stated its PSIRT had no evidence of active exploitation and no public PoC at the time of publication, while also issuing fixes for additional vulnerabilities (including multiple high-severity issues) across Cisco firewall management and firewall platforms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
VulnCheck publishes exploit chain analysis for CVE-2026-20079
On 2026-03-25, VulnCheck published technical analysis showing a working unauthenticated exploit chain for CVE-2026-20079 in Cisco Secure Firewall Management Center that achieved root command execution. The report described abuse of a boot-time csm_processes session, hardcoded machine-user credentials, token extraction, and CGI functionality, while noting the attack requires a recently rebooted or lightly used target.
Cisco warns CVE-2026-20131 is being actively exploited
On 2026-03-18, Cisco updated its advisory for CVE-2026-20131 to state that the critical Secure Firewall Management Center flaw was being exploited in the wild. This reversed Cisco’s March 4 position that no public exploitation or proof-of-concept was known.
Cisco updates prior SD-WAN guidance to note active exploitation
On 2026-03-04, Cisco also updated earlier guidance for two Catalyst SD-WAN Manager vulnerabilities, originally published on 2026-02-25, to state they were being exploited in the wild. This was reported alongside the March firewall advisory bundle as a separate development in Cisco's broader security updates.
Canadian Centre for Cyber Security issues alert on Cisco advisories
On 2026-03-04, the Canadian Centre for Cyber Security published alert AV26-197 highlighting Cisco's advisories for Security Cloud Control Firewall Management and Secure Firewall Management Center. The notice urged administrators to review Cisco guidance, follow mitigations, and apply updates as available.
Cisco says no active exploitation or public PoC is known
In the March 4, 2026 advisories, Cisco PSIRT stated it was not aware of public disclosure, proof-of-concept code, or in-the-wild exploitation for the two critical FMC vulnerabilities at the time of publication. Cisco also indicated there were no workarounds and urged customers to upgrade to fixed releases.
Cisco discloses and patches two critical Secure FMC vulnerabilities
On 2026-03-04, Cisco disclosed and released fixes for CVE-2026-20079 and CVE-2026-20131, two CVSS 10.0 vulnerabilities in Cisco Secure Firewall Management Center. Cisco said unauthenticated attackers could exploit the flaws remotely to achieve root-level access, and noted CVE-2026-20131 also affects Cisco Security Cloud Control Firewall Management.
Cisco publishes March 2026 firewall security advisory bundle
On 2026-03-04, Cisco published a bundled set of security advisories covering roughly 48 vulnerabilities across Secure Firewall ASA, Secure Firewall Management Center (FMC), and Secure Firewall Threat Defense (FTD). The release included fixes for two critical FMC web interface flaws and numerous additional high- and medium-severity issues.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
17 references tracked. Mallory keeps watching after this page renders.
Cisco Secure Firewall Vulnerability Allows Remote Code Execution as Root User
cybersecuritynews.com
Open sourceCVE-2026-20079 - Cisco FMC Authentication Bypass RCE Analysis | Blog | VulnCheck
vulncheck.com
Open sourceCVE-2026-20131: Analysis of FMC RCE | ThreatLabz
zscaler.com
Open sourceCisco patches 48 bugs across firewall products; notes two more SD-WAN flaws exploited | news | SC Media
scworld.com
Open sourceCritical Cisco Vulnerabilities: CVE-2026-20079 and CVE-2026-20131 Affecting Cisco Secure Firewall Management Center | Abstract Security
abstract.security
Open sourceWARNING: Cisco Issues Emergency Patches for Critical Firewall Management Vulnerabilities
linkedin.com
Open sourceCisco Event Response: March 2026 Cisco Secure Firewall ASA, Secure FMC, and Secure FTD Software Security Advisory Bundled Publication
sec.cloudapps.cisco.com
Open sourceCisco warns of max severity Secure FMC flaws giving root access
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco Patches Critical Firewall Management RCE Vulnerabilities
Cisco released emergency fixes for two **critical (CVSS 10.0)** vulnerabilities in its firewall management software that could allow **remote, unauthenticated attackers** to execute code and gain **root-level** access to the underlying operating system. The issues are tracked as `CVE-2026-20079` and `CVE-2026-20131`, and reporting emphasized the risk profile given Cisco’s widespread deployment in large enterprises and the historical interest of sophisticated actors in rapidly weaponizing Cisco bugs. Available reporting stated there were **no confirmed in-the-wild exploitation** reports at the time of publication, but urged rapid patching due to the combination of unauthenticated reachability and full compromise potential. Separate coverage packaged the Cisco flaws alongside other weekly security items (e.g., Tycoon2FA infrastructure takedown and other incidents), but the Cisco item consistently described the same two maximum-severity firewall management vulnerabilities and their impact (RCE leading to root access).
Mar 21, 2026
Cisco Secure Firewall flaws expose FMC, FTD, and ASA to RCE, auth bypass, and inspection bypass
Cisco disclosed multiple vulnerabilities affecting **Secure Firewall Management Center (FMC)**, **Secure Firewall Threat Defense (FTD)**, and **Adaptive Security Appliance (ASA)** software, including a **remote code execution** flaw tied to RADIUS handling in FMC and a separate **authentication bypass** issue in on-premises FMC. Additional advisories describe a **path traversal** vulnerability in FMC and FTD, expanding the risk to core firewall management and security enforcement platforms used in enterprise environments. The broader set of advisories also includes a **Snort deep inspection bypass** in FTD, a **TLS/Snort 3 denial-of-service** issue, a **SAML reflected cross-site scripting** flaw affecting ASA and FTD, a **VPN web services client-side request smuggling** vulnerability, and a **Lua code injection** bug in ASA and FTD. Taken together, the disclosures show that Cisco firewall products were exposed to weaknesses spanning **code execution, access control, traffic inspection evasion, denial of service, and web interface exploitation**, creating multiple paths for attackers to disrupt defenses or gain elevated access if affected systems remain unpatched.
May 25, 2026
Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager
Belgium’s CCB (Safeonweb) warned of **multiple critical vulnerabilities** across several **Cisco** products—specifically calling out **Cisco Secure Firewall** (including *Adaptive Security Appliance (ASA)*, *Firepower Management Center (FMC)*, and *Firepower Threat Defense (FTD)*) and **Cisco Catalyst SD-WAN Manager**—and stated that **some vulnerabilities are being actively exploited**, urging immediate patching. The advisory lists a broad set of weakness classes including **authentication bypass** (`CWE-288`/`CWE-287`), **deserialization of untrusted data** (`CWE-502`), **buffer overflow** (`CWE-120`), **SQL injection** (`CWE-89`), and **sensitive information exposure** (`CWE-200`), and highlights multiple CVEs including **CVE-2026-20079** and **CVE-2026-20131** with **CVSS 10.0**. A separate advisory from the Center for Internet Security (CIS) also reported **multiple vulnerabilities in Cisco products** that could enable **remote code execution**, enumerating a large set of related CVEs (including **CVE-2026-20001**, **CVE-2026-20002**, **CVE-2026-20003**, and **CVE-2026-20039**). Taken together, the advisories indicate a high-risk patching priority for organizations running affected Cisco network/security management and firewall platforms, particularly where internet exposure or untrusted management-plane access could make exploitation more likely.
Mar 21, 2026