Pierluigi Paganini
March 04, 2026
Cisco addressed two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) that could allow attackers to gain root access. Cisco Secure Firewall Management Center (FMC) is a centralized management platform for Cisco firewalls.
It lets administrators configure, monitor, and control multiple firewalls from a single web or SSH interface. Through FMC, teams can manage policies for intrusion prevention (IPS), application control, URL filtering, advanced malware protection, logging, reporting, and overall network security posture across their environment.
The first vulnerability, tracked as CVE-2026-20079 (CVSS score of 10.0), is an authentication bypass issue.
The flaw resides in Cisco Secure FMC’s web interface and lets unauthenticated remote attackers bypass authentication and send crafted HTTP requests to execute scripts, potentially gaining root access to the underlying operating system.
“A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system.” reads the advisory. “This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.”
The second vulnerability, tracked as CVE-2026-20131 (CVSS score of 10.0), is a remote code execution issue.
The flaw resides in Cisco Secure FMC’s web interface and allows unauthenticated remote attackers to exploit insecure Java deserialization and execute arbitrary code as root by sending a crafted serialized object.
“A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.” reads the advisory. “This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.”
CVE-2026-20131 also impacts Cisco Security Cloud Control (SCC) Firewall Management.
Company PSIRT said it is not aware of any public disclosure or active exploitation of both vulnerabilities.
The networking giant said that there are no workarounds that address these flaws.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Secure FMC)
