Cisco Releases Security Updates for Cisco Secure Firewall Management Center (FMC) Software

Two critical vulnerabilities could allow an unauthenticated, remote attacker to perform arbitrary code execution and authentication bypass on an affected device.

Threat ID:: CC-4750
Threat Severity:: Medium
Published:: 5 March 2026 5:02 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Two critical vulnerabilities could allow an unauthenticated, remote attacker to perform arbitrary code execution and authentication bypass on an affected device.

Affected platforms

The following platforms are known to be affected:

Cisco Secure Firewall Management Center (FMC)

All device configurations affected.

Cisco Security Cloud Control (SCC) Firewall Management

Note: Cisco SCC Firewall Management is a SaaS-delivered offering and is upgraded by Cisco as part of maintenance. There is no user action required.

Threat details

Exploitation of CVE-2026-20131

Security researchers have stated they have observed exploitation of vulnerability CVE-2026-20131 in the wild. The NHS England National CSOC assesses further exploitation as highly likely.

Introduction

Cisco has released security updates to address two critical vulnerabilities in Cisco Secure Firewall Management Center (FMC) Software.

CVE-2026-20079 - 'Authentication Bypass Using an Alternate Path or Channel' vulnerability – CVSSv3 score: 10.0
CVE-2026-20131- 'Deserialisation of Untrusted Data' vulnerability – CVSSv3 score: 10.0

Threat updates

Date	Update
19 Mar 2026	Exploitation of CVE-2026-20131

Remediation advice

Affected organisations are strongly encouraged to review Cisco’s cisco-sa-fmc-rce-NKhnULJh and cisco-sa-onprem-fmc-authbypass-5JPp45V2 security advisories and apply the relevant update as soon as possible.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2026-20079

A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system. This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.

Status Published

CVE-2026-20131

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.

Last edited: 19 March 2026 11:43 am