Cisco Patches Critical Firewall Management RCE Vulnerabilities
Cisco released emergency fixes for two critical (CVSS 10.0) vulnerabilities in its firewall management software that could allow remote, unauthenticated attackers to execute code and gain root-level access to the underlying operating system. The issues are tracked as CVE-2026-20079 and CVE-2026-20131, and reporting emphasized the risk profile given Cisco’s widespread deployment in large enterprises and the historical interest of sophisticated actors in rapidly weaponizing Cisco bugs.
Available reporting stated there were no confirmed in-the-wild exploitation reports at the time of publication, but urged rapid patching due to the combination of unauthenticated reachability and full compromise potential. Separate coverage packaged the Cisco flaws alongside other weekly security items (e.g., Tycoon2FA infrastructure takedown and other incidents), but the Cisco item consistently described the same two maximum-severity firewall management vulnerabilities and their impact (RCE leading to root access).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
U.S. court sentences trafficker in Microsoft authenticity labels case
A U.S. sentencing was handed down in a case involving trafficking in Microsoft Certificates of Authenticity or license labels. The case reflected continued law-enforcement action against software-related fraud.
University of Mississippi Medical Center resumes operations after ransomware
The University of Mississippi Medical Center restored operations after a ransomware incident disrupted clinical and IT systems for nine days. The recovery marked a significant operational milestone following the attack.
Silver Dragon campaign linked to China targets government entities
Researchers reported that the China-linked Silver Dragon activity cluster targeted government organizations using Cobalt Strike and custom tooling overlapping with the APT41 ecosystem. The reporting expanded attribution and technical understanding of the campaign.
Israeli users targeted with trojanized RedAlert app campaign
Attackers distributed a fake RedAlert rocket-warning Android app through SMS phishing messages impersonating Israel's Home Front Command. The app deployed multi-stage spyware with extensive permissions and banking-trojan-like capabilities.
LexisNexis confirms breach after FulcrumSec data leak claims
LexisNexis confirmed a security breach after FulcrumSec leaked data it claimed to have stolen from the company's AWS environment. The claims referenced an alleged React2Shell-based compromise.
Operation Leak takes down LeakBase breach forum
An international operation led by agencies including the FBI and Europol dismantled the LeakBase breach forum. Authorities seized infrastructure and made arrests as part of the takedown.
Microsoft and law enforcement dismantle Tycoon 2FA infrastructure
Microsoft and law enforcement disrupted the Tycoon 2FA phishing-as-a-service platform by seizing domains and related infrastructure. The action targeted a service used to facilitate large-scale phishing and credential theft.
Cisco issues emergency patches for two critical firewall vulnerabilities
Cisco released emergency fixes for two CVSS 10.0 remote, unauthenticated RCE vulnerabilities in its firewall management software. The flaws were described as critical and required immediate remediation.
Cisco warns of active exploitation of Catalyst SD-WAN Manager flaws
Cisco disclosed that previously patched vulnerabilities affecting Catalyst SD-WAN Manager were being actively exploited in the wild. The warning elevated concern beyond the original patch release.
CISA adds VMware Aria Operations flaw to KEV catalog
CISA added the VMware Aria Operations command-injection vulnerability to its Known Exploited Vulnerabilities catalog, signaling active exploitation risk and increasing urgency for patching.
Broadcom patches VMware Aria Operations command-injection flaw
Broadcom released a patch for a command-injection vulnerability in VMware Aria Operations. The flaw was later noted as significant enough to be added to CISA's Known Exploited Vulnerabilities catalog.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Cisco issues emergency patches for critical firewall vulnerabilities | CSO Online
csoonline.com
Open sourceBreach Roundup: Patches and Hacks on Cisco Equipment
govinfosecurity.com
Open sourceBreach Roundup: Patches and Hacks on Cisco Equipment
bankinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco patches max-severity Secure Firewall Management Center flaws enabling unauthenticated root access
Cisco released security updates for two **maximum-severity** vulnerabilities in *Cisco Secure Firewall Management Center (FMC)* that can be exploited remotely by **unauthenticated** attackers via crafted HTTP requests to the web-based management interface. The issues include an **authentication bypass** (**CVE-2026-20079**) that can lead to **root access** on the underlying operating system and a **remote code execution** flaw (**CVE-2026-20131**) that allows execution of arbitrary Java code as root on unpatched systems. The Canadian Centre for Cyber Security highlighted Cisco’s advisories and urged administrators to review Cisco guidance and apply updates, noting impact to **Cisco Security Cloud Control (SCC) Firewall Management** and **Cisco Secure FMC** across versions. Cisco stated its PSIRT had **no evidence of active exploitation** and no public PoC at the time of publication, while also issuing fixes for additional vulnerabilities (including multiple high-severity issues) across Cisco firewall management and firewall platforms.
Mar 26, 2026
Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager
Belgium’s CCB (Safeonweb) warned of **multiple critical vulnerabilities** across several **Cisco** products—specifically calling out **Cisco Secure Firewall** (including *Adaptive Security Appliance (ASA)*, *Firepower Management Center (FMC)*, and *Firepower Threat Defense (FTD)*) and **Cisco Catalyst SD-WAN Manager**—and stated that **some vulnerabilities are being actively exploited**, urging immediate patching. The advisory lists a broad set of weakness classes including **authentication bypass** (`CWE-288`/`CWE-287`), **deserialization of untrusted data** (`CWE-502`), **buffer overflow** (`CWE-120`), **SQL injection** (`CWE-89`), and **sensitive information exposure** (`CWE-200`), and highlights multiple CVEs including **CVE-2026-20079** and **CVE-2026-20131** with **CVSS 10.0**. A separate advisory from the Center for Internet Security (CIS) also reported **multiple vulnerabilities in Cisco products** that could enable **remote code execution**, enumerating a large set of related CVEs (including **CVE-2026-20001**, **CVE-2026-20002**, **CVE-2026-20003**, and **CVE-2026-20039**). Taken together, the advisories indicate a high-risk patching priority for organizations running affected Cisco network/security management and firewall platforms, particularly where internet exposure or untrusted management-plane access could make exploitation more likely.
Mar 21, 2026
Cisco Patches Actively Exploited Root Escalation Flaw in SD-WAN Manager
Cisco released fixes for **CVE-2026-20262**, an actively exploited vulnerability in **Cisco Catalyst SD-WAN Manager** (`vManage`) that allows an authenticated remote attacker with low privileges to upload or overwrite files through crafted HTTP requests and ultimately execute commands as **root**. The flaw stems from insufficient validation of user-supplied input during file uploads in the web UI and affects **all deployment models**, including on-premises, Cloud-Pro, Cisco-managed cloud, and FedRAMP environments. Cisco said it became aware of in-the-wild exploitation in June and urged customers to patch immediately, warning that the product’s central role in orchestrating SD-WAN fabrics raises the operational impact of compromise. The company published indicators of compromise tied to uploaded `.jsp` and `.war` files, including filenames such as `index.jsp` and `suspicious.war`, and advised defenders to inspect `vmanage-server`, `vmanage-appserver`, and `serviceproxy-access` logs, reduce internet exposure, audit accounts, and contact TAC with an admin-tech file if intrusion is suspected.
Jun 19, 2026