Cisco Secure Firewall flaws expose FMC, FTD, and ASA to RCE, auth bypass, and inspection bypass
Cisco disclosed multiple vulnerabilities affecting Secure Firewall Management Center (FMC), Secure Firewall Threat Defense (FTD), and Adaptive Security Appliance (ASA) software, including a remote code execution flaw tied to RADIUS handling in FMC and a separate authentication bypass issue in on-premises FMC. Additional advisories describe a path traversal vulnerability in FMC and FTD, expanding the risk to core firewall management and security enforcement platforms used in enterprise environments.
The broader set of advisories also includes a Snort deep inspection bypass in FTD, a TLS/Snort 3 denial-of-service issue, a SAML reflected cross-site scripting flaw affecting ASA and FTD, a VPN web services client-side request smuggling vulnerability, and a Lua code injection bug in ASA and FTD. Taken together, the disclosures show that Cisco firewall products were exposed to weaknesses spanning code execution, access control, traffic inspection evasion, denial of service, and web interface exploitation, creating multiple paths for attackers to disrupt defenses or gain elevated access if affected systems remain unpatched.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Cisco discloses FMC authentication bypass vulnerability
Cisco published a security advisory for an authentication bypass vulnerability affecting Cisco Secure Firewall Management Center Software.
Cisco releases six Secure Firewall advisories
Cisco published a batch of security advisories covering Secure Firewall products, including vulnerabilities for path traversal in FMC and FTD, Snort deep inspection bypass in FTD, SAML reflected XSS in ASA and FTD, VPN web services client-side request smuggling in ASA and FTD, Lua code injection in ASA and FTD, and a TLS/Snort 3 denial-of-service issue in FTD.
Cisco discloses FMC RADIUS remote code execution vulnerability
Cisco published a security advisory for a remote code execution vulnerability affecting Cisco Secure Firewall Management Center Software in its RADIUS-related functionality.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Cisco Secure Firewall Management Center Software Authentication Bypass Vulnerability
linkedin.com
Open sourceCisco Secure Firewall Management Center and Secure Firewall Threat Defense Software Path Traversal Vulnerability
sec.cloudapps.cisco.com
Open sourceCisco Secure Firewall Threat Defense Software Snort Deep Inspection Bypass Vulnerability
sec.cloudapps.cisco.com
Open sourceCisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software SAML Reflected Cross-Site Scripting Vulnerability
sec.cloudapps.cisco.com
Open sourceCisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Client-Side Request Smuggling Vulnerability
sec.cloudapps.cisco.com
Open sourceCisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Lua Code Injection Vulnerability
sec.cloudapps.cisco.com
Open sourceCisco Secure Firewall Threat Defense Software TLS with Snort 3 Detection Engine Denial of Service Vulnerability
sec.cloudapps.cisco.com
Open sourceCisco Secure Firewall Management Center Software RADIUS Remote Code Execution Vulnerability
linkedin.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco patches max-severity Secure Firewall Management Center flaws enabling unauthenticated root access
Cisco released security updates for two **maximum-severity** vulnerabilities in *Cisco Secure Firewall Management Center (FMC)* that can be exploited remotely by **unauthenticated** attackers via crafted HTTP requests to the web-based management interface. The issues include an **authentication bypass** (**CVE-2026-20079**) that can lead to **root access** on the underlying operating system and a **remote code execution** flaw (**CVE-2026-20131**) that allows execution of arbitrary Java code as root on unpatched systems. The Canadian Centre for Cyber Security highlighted Cisco’s advisories and urged administrators to review Cisco guidance and apply updates, noting impact to **Cisco Security Cloud Control (SCC) Firewall Management** and **Cisco Secure FMC** across versions. Cisco stated its PSIRT had **no evidence of active exploitation** and no public PoC at the time of publication, while also issuing fixes for additional vulnerabilities (including multiple high-severity issues) across Cisco firewall management and firewall platforms.
Mar 26, 2026
Critical Remote Code Execution and Authorization Bypass Vulnerabilities in Cisco ASA and FTD WebVPN
Multiple critical vulnerabilities have been discovered in the Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) WebVPN components, which are being actively exploited in the wild. The vulnerabilities, identified as CVE-2025-20362, CVE-2025-20333, and CVE-2025-20363, allow attackers to bypass authentication and achieve remote code execution (RCE) as root on affected devices. CVE-2025-20362 is an unauthenticated authorization bypass that enables attackers to access restricted endpoints without valid credentials, serving as a key component in exploit chains. When combined with CVE-2025-20333, attackers can send malicious HTTPS requests to execute arbitrary code as root, even without prior authentication. CVE-2025-20363 is a related flaw that also enables unauthenticated RCE on ASA/FTD devices and authenticated RCE on some Cisco IOS components. These vulnerabilities affect Cisco ASA versions 9.16 through 9.23 and Cisco FTD versions 7.0 through 7.7, with specific software images requiring validation against Cisco advisories. Cisco and CISA have confirmed active exploitation and widespread scanning for these vulnerabilities, prompting CISA to issue Emergency Directive 25-03 on September 25, 2025, mandating immediate action by federal agencies. The threat actor responsible for these attacks is attributed to the same group behind the ArcaneDoor (UAT4356) state-sponsored espionage campaign first observed in 2024. Organizations are urged to patch or upgrade to Cisco’s fixed releases without delay, and to restrict or disable vulnerable devices if immediate upgrades are not possible. Compromised devices should be isolated and thoroughly investigated for signs of threat actor presence. Cisco has provided detailed guidance for detection, and CISA’s Malware Next Generation tool can be used to hunt for indicators of compromise. Security researchers, including Rapid7, have published technical analyses and exploit chains demonstrating the severity and ease of exploitation. The vulnerabilities are considered highly critical due to their unauthenticated nature and the potential for full device compromise, which could lead to further lateral movement within affected networks. The rapid response from both Cisco and CISA underscores the urgency and scale of the threat. Organizations using Cisco ASA or FTD devices should assume exposure if running affected versions and prioritize remediation. The vulnerabilities highlight the ongoing targeting of network edge devices by sophisticated threat actors, particularly those engaged in espionage. Failure to address these vulnerabilities could result in significant operational disruption and data compromise. The security community continues to monitor for new exploitation techniques and advises ongoing vigilance. The release of proof-of-concept code and active scanning increases the risk of opportunistic attacks by additional threat actors. Timely patching and adherence to Cisco and CISA recommendations are essential to mitigate risk from these critical vulnerabilities.
Mar 21, 2026
Actively Exploited Critical Vulnerabilities in Cisco Secure Firewall and Catalyst SD-WAN Manager
Belgium’s CCB (Safeonweb) warned of **multiple critical vulnerabilities** across several **Cisco** products—specifically calling out **Cisco Secure Firewall** (including *Adaptive Security Appliance (ASA)*, *Firepower Management Center (FMC)*, and *Firepower Threat Defense (FTD)*) and **Cisco Catalyst SD-WAN Manager**—and stated that **some vulnerabilities are being actively exploited**, urging immediate patching. The advisory lists a broad set of weakness classes including **authentication bypass** (`CWE-288`/`CWE-287`), **deserialization of untrusted data** (`CWE-502`), **buffer overflow** (`CWE-120`), **SQL injection** (`CWE-89`), and **sensitive information exposure** (`CWE-200`), and highlights multiple CVEs including **CVE-2026-20079** and **CVE-2026-20131** with **CVSS 10.0**. A separate advisory from the Center for Internet Security (CIS) also reported **multiple vulnerabilities in Cisco products** that could enable **remote code execution**, enumerating a large set of related CVEs (including **CVE-2026-20001**, **CVE-2026-20002**, **CVE-2026-20003**, and **CVE-2026-20039**). Taken together, the advisories indicate a high-risk patching priority for organizations running affected Cisco network/security management and firewall platforms, particularly where internet exposure or untrusted management-plane access could make exploitation more likely.
Mar 21, 2026