Authentication Bypass to Root RCE in Cisco Secure Firewall Management Center
CVE-2026-20079 is a critical vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software. It allows an unauthenticated remote attacker to bypass authentication and execute script files and commands on the affected device, resulting in root access to the underlying operating system. Cisco states the issue is caused by an improper system process created at boot time. Supporting analysis indicates the vulnerable condition is tied to a boot-created machine-user session associated with the csm_processes account that can be reached through the web interface and, under certain conditions, repurposed into a usable UI session. An attacker can exploit the flaw by sending crafted HTTP requests to the FMC web interface. Successful exploitation enables execution of scripts and commands as root on the FMC appliance.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository is a small standalone exploit PoC consisting of one Python script and one README. The main file, CVE-2026-20079.py, is the only code artifact and serves as the entry point. It uses the requests library to interact with a Cisco Secure Firewall Management Center (FMC) web interface over HTTPS, explicitly disabling certificate verification to accommodate self-signed deployments. The exploit logic is a two-stage chain. First, it creates a requests session and sends a POST request to /api/fmc_config/v1/upgradeSession with parameters action=session_upgrade and partial_session=1, attempting to abuse an alleged boot-time partial session condition to bypass authentication. If the response status indicates success (200/204/302), the script treats the target as compromised at the session level. Second, if the operator supplied a command, it sends another POST request to /cgi-bin/privilegedScriptHandler.cgi with script=exec, cmd=<command>, and elevate=root, attempting to execute arbitrary commands as root. The script also includes a --shell mode, but this does not automatically establish a shell; it only prints a suggested bash reverse-shell one-liner using /dev/tcp/YOUR_IP/4444. Capabilities: unauthenticated remote authentication bypass, session hijacking, arbitrary root command execution, and operator-guided reverse-shell follow-on. Attack surface: network/web against the FMC management interface. There is no persistence, lateral movement, or post-exploitation automation beyond command execution. Repository structure is minimal and purpose-built: README.md documents the claimed vulnerability, affected versions, impact, and references, while the Python script operationalizes the exploit chain. This is not part of a larger exploit framework such as Metasploit or Nuclei. Based on the code, it is an operational PoC rather than a detection script: it actively sends exploit requests and can execute attacker-provided commands. The payload is basic and hardcoded around two HTTP POST requests, so maturity is best classified as OPERATIONAL rather than weaponized.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
55 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical unauthenticated remote code execution vulnerability in Cisco Secure Firewall Management Center caused by an improper system process created at boot time, enabling session abuse, authentication bypass, and root-level command execution.
Critical authentication-bypass vulnerability in Cisco Secure Firewall Management Center (FMC) reachable over HTTP that can lead to root-level compromise due to an improper process at boot.
A critical unauthenticated authentication-bypass vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) that can allow execution of script files and escalation to root on the underlying OS; attributed to an improper system process created at boot time.
A maximum-severity vulnerability in Cisco Secure Firewall Management Center that could allow an unauthenticated remote attacker to bypass authentication and execute arbitrary Java code as root.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.