Cisco warns of max severity Secure FMC flaws giving root access
Source: Bleeping Computer
Cisco has released security updates to patch two maximum‑severity vulnerabilities in its Secure Firewall Management Center (FMC) software.
Secure FMC is a web or SSH‑based interface for admins to manage Cisco firewalls and configure application control, intrusion prevention, URL filtering, and advanced malware protection.
Both vulnerabilities can be exploited remotely by unauthenticated attackers:
-
The authentication bypass flaw (CVE‑2026‑20079) allows attackers to gain root access to the underlying operating system.
“An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device,” the advisory reads.
-
The remote code execution (RCE) vulnerability (CVE‑2026‑20131) lets them execute arbitrary Java code as root on unpatched devices.
“An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web‑based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root,” Cisco added.
While both affect Cisco Secure FMC software, CVE‑2026‑20131 also impacts Cisco Security Cloud Control (SCC) Firewall Management, a cloud‑based security policy manager that simplifies policy across Cisco firewalls and other devices.
At the moment, Cisco’s Product Security Incident Response Team (PSIRT) has no evidence that the two flaws are being exploited in the wild, nor that proof‑of‑concept exploit code has been published online.
Cisco has also patched dozens of other security vulnerabilities, including 15 high‑severity flaws in Secure FMC, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense software.
In August, Cisco fixed another maximum‑severity Secure FMC flaw, which allowed unauthenticated remote attackers to inject arbitrary shell commands that were executed on unpatched devices.
More recently, in January, it released patches for a maximum‑severity Cisco AsyncOS zero‑day that had been exploited in attacks against secure email appliances since November, and addressed a critical Unified Communications RCE that was also used in zero‑day attacks.
Last month, Cisco also patched a maximum‑severity Catalyst SD‑WAN authentication bypass flaw that was abused as a zero‑day, allowing remote attackers to compromise controllers and add malicious rogue peers to targeted networks.