Cisco Issues Emergency Patches for Critical Actively Exploite Firewall Management Flaws
Take action: If you are using Cisco FMC on premise, this is urgent and important. These flaws are actively exploited. Make sure the web interface of the FMC is isolated and accessible only from trusted networks. Then apply a very quick patch, since even if isolated, a lot of attackers will be building tools to attack it after they do a successful phishing or endpoint compromise.
Learn More
Cisco released emergency security updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) platform. These flaws allow unauthenticated remote attackers to gain full root-level control over the management system.
FMC serves as the central hub for configuring and monitoring firewall policies across large environments.
Vulnerabilities summary:
- CVE-2026-20079 (CVSS score 10.0) - An authentication bypass vulnerability in the web interface of Cisco Secure FMC caused by an improper system process created during boot time. Attackers can exploit this by sending crafted HTTP requests to the device, allowing them to run scripts and commands that grant root access to the underlying operating system. This bypass effectively defeats all access controls, letting an attacker modify system files or disable security logging.
- CVE-2026-20131 (CVSS score 10.0) - A remote code execution vulnerability stemming from the insecure deserialization of user-supplied Java byte streams in the FMC web management interface. By submitting a malicious serialized Java object, an unauthenticated attacker can run arbitrary Java code with root privileges on the target system. This flaw also affects Cisco Security Cloud Control, though Cisco has already updated the SaaS-delivered version of that platform.
Successful exploitation of these flaws grants an attacker the highest possible privileges, enabling them to manipulate firewall configurations, steal sensitive data, or install backdoors.
Cisco discovered these issues during internal security testing and has not yet seen evidence of active exploitation in the wild.
The vulnerabilities primarily affect on-premises installations of Cisco Secure Firewall Management Center Software. CVE-2026-20131 (CVSS score 10.0) also impacted Cisco Security Cloud Control (SCC).
Cisco confirmed that the cloud-hosted SaaS offering is already patched and requires no user action. Other products, such as the Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software, are not vulnerable.
Cisco recommends that administrators immediately install the latest software updates to resolve these vulnerabilities. No manual workarounds exist. Organizations should use the Cisco Software Checker to identify the specific fixed releases for their environment. Beyond patching, security teams should restrict access to the FMC management interface to trusted internal networks and monitor system logs for unusual HTTP requests or unauthorized root-level activity.
Update - as of 18th of March 2026, AWS CISO CJ Moses reports that criminals exploited CVE-2026-20131 more than a month before Cisco patched the issue. "Our research found that Interlock was exploiting this vulnerability 36 days before its public disclosure, beginning January 26". AWS published their Indicators of Compromise in the blog post.
As of 19th of March 2026, CISA confirmed that CVE-2026-20131 is actively exploited.
