About:
Multiple critical vulnerabilities have been identified in Cisco Secure Firewall Management Center (FMC) that could allow unauthenticated attackers to bypass authentication controls or execute arbitrary code on affected systems. The flaws impact the web-based management interface and could lead to root-level access on the underlying operating system. Successful exploitation may result in complete compromise of firewall management infrastructure and downstream network security controls.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Authentication Bypass Vulnerability in Cisco Secure Firewall Management Center (FMC)
CVSS Score: 10.0 (Critical)
Identifier: CVE-2026-20079
PoC or Exploitation:
Cisco has stated there is currently no evidence of active exploitation in the wild and no publicly released proof-of-concept exploit code for CVE-2026-20079 at this time.
Update/ Patch:
Cisco has released software updates that address CVE-2026-20079 in Cisco Secure Firewall Management Center Software. Administrators should upgrade to the fixed software versions provided by Cisco.
Official Cisco security advisory and patch guidance:
Description:
CVE-2026-20079 is an authentication bypass vulnerability in Cisco Secure Firewall Management Center Software. The issue occurs due to improper handling of authentication requests within the web-based management interface. An attacker can exploit the vulnerability by sending specially crafted HTTP requests to an affected device. Successful exploitation may allow an unauthenticated remote attacker to execute scripts and system commands and gain root-level access to the underlying operating system of the device.
Mitigation Recommendation:
Immediately upgrade Cisco Secure Firewall Management Center to a fixed software version as outlined in Cisco's advisory.
Restrict access to the FMC management interface so that it is only accessible from trusted administrative networks.
Monitor logs for suspicious HTTP requests, authentication anomalies, or unexpected configuration changes.
Java Deserialization Remote Code Execution in Cisco Secure Firewall Management Center
CVSS Score: 10.0 (Critical)
Identifier: CVE-2026-20131
PoC or Exploitation:
Cisco has stated there is currently no evidence of active exploitation in the wild and no publicly available proof-of-concept exploit code for CVE-2026-20131.
Update/ Patch:
Cisco has released software updates to address CVE-2026-20131 in Cisco Secure Firewall Management Center Software and Cisco Security Cloud Control Firewall Management. Administrators should upgrade to the fixed versions listed in Cisco's official advisory.
Cisco advisory and patch guidance:
Description:
CVE-2026-20131 is a remote code execution vulnerability caused by unsafe Java deserialization in the web-based management interface of Cisco Secure Firewall Management Center. The flaw allows an unauthenticated remote attacker to send a specially crafted serialized Java object to the management interface, which can result in arbitrary code execution on the underlying system.
Successful exploitation may allow attackers to execute commands with root privileges on the affected device.
Mitigation Recommendation:
Immediately upgrade Cisco Secure Firewall Management Center and Cisco Security Cloud Control instances to fixed software versions provided in Cisco's advisory.
Restrict access to firewall management interfaces so they are reachable only from trusted administrative networks.
Implement management-plane segmentation to ensure FMC management services are not exposed to untrusted networks or the public internet.
Monitor logs for unusual HTTP requests or abnormal activity targeting the management interface.