Summary

Two critical vulnerabilities have been identified in the web-based management interface of Cisco Secure Firewall Management Center (FMC) that could allow an unauthenticated remote attacker to compromise affected systems.

The vulnerabilities tracked as CVE-2026-20079 and CVE-2026-20131 could allow attackers to bypass authentication or execute arbitrary code on the affected device. Successful exploitation may allow attackers to run commands or Java code and obtain root-level access to the underlying operating system.

Cisco has released software updates to address these vulnerabilities. At the time of publication, no workarounds are available.

Affected Systems and/or Applications

The following products are affected:

• Cisco Secure Firewall Management Center (FMC) Software
  

Additionally, the following service is affected by CVE-2026-20131:

• Cisco Security Cloud Control (SCC) Firewall Management
  

The following products are confirmed not vulnerable:

• Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
• Cisco Secure Firewall Threat Defense (FTD) Software
• Cisco Cloud-Delivered Firewall Management Center (cdFMC)
  

Note: Cisco Security Cloud Control Firewall Management is a SaaS-delivered service and is automatically updated by Cisco.

Technical Details

Two separate vulnerabilities affect the FMC web-based management interface.

CVE-2026-20079 -- Authentication Bypass

This vulnerability is caused by an improperly created system process during device boot. An attacker could exploit this flaw by sending crafted HTTP requests to the affected device. Successful exploitation could allow an attacker to bypass authentication controls and execute scripts or commands on the system, potentially resulting in root-level access.

CVE-2026-20131 -- Remote Code Execution

This vulnerability results from insecure deserialization of a user-supplied Java byte stream in the web management interface. An attacker could send a crafted serialized Java object to the management interface of an affected device. If successful, the attacker could execute arbitrary Java code and escalate privileges to root. The risk associated with these vulnerabilities increases if the FMC management interface is accessible from untrusted networks or the public internet.

Mitigation

Cisco has released software updates that address CVE-2026-20079 and CVE-2026-20131. Organizations should take the following actions:

• Upgrade to the latest fixed version of Cisco Secure Firewall Management Center (FMC).‍
• Use the Cisco Software Checker to determine whether deployed software versions are vulnerable and identify the earliest fixed release.
• Restrict access to the FMC web management interface to trusted internal networks.
• Ensure the management interface is not exposed to the publicinternet.
• Monitor system logs and network traffic for suspicious or unauthorized access attempts targeting the FMC management interface.

Because no workarounds are available, upgrading to a fixed software release is required to fully remediate these vulnerabilities.

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) is monitoring the situation. This advisory will be updated if required or when more information becomes available.

References

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2
• https://sec.cloudapps.cisco.com/security/center/softwarechecker.x
• https://www.kudelskisecurity.com/threat-alert-center/

‍