[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2026-20079 and CVE-2026-20131 Critical Vulnerabilities in Cisco Secure Firewall Management Center Software and Security Cloud Control

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Thu Mar 5 11:53:35 PST 2026 

Good morning,

The SOC Services team is reporting on the following vulnerabilities: CVE-2026-20079 affecting Cisco Secure Firewall Management Center management interface and CVE-2026-20131 affecting Cisco Secure Firewall Management Center web-based management interface. Because Cisco released a security advisory describing a critical authentication bypass vulnerability affecting FMC systems, we are providing this in-depth information.

History: Cisco disclosed these vulnerabilities on March 4, 2026, through a security advisory affecting Cisco Secure Firewall Management Center. Both vulnerabilities are currently assigned a CVSS v3.x base score is 10.0 (Critical) by Cisco Systems.

Affected Versions:


  *   CVE-2026-20079: Cisco Secure Firewall Management Center releases prior to Cisco March 2026 security update
  *   CVE-2026-20131: Cisco Secure Firewall Management Center versions prior to Cisco March 2026 security updates

Fixed Versions:


  *   Cisco Secure Firewall Management Center updated releases published March 2026

An improper system process created during boot allows an unauthenticated attacker to send crafted HTTP requests to the management interface, bypass authentication controls, and execute scripts on the device with root privileges. More information can be found through the Vendor Advisory.

Vendor Advisory: Cisco Secure Firewall Management Center Remote Code Execution Vulnerability<https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh>

Intelligence: As of March 4, 2026, CISA has not listed the vulnerability in the Known Exploited Vulnerabilities Catalog.

CVE-2026-20079
Exploitability Level: High
Complexity: Low
User Interaction: None
Remotely Exploitable: Yes
Proof of Concept: No public proof-of-concept reported
Zero Day: No

CVE-2026-20131
Exploitability Level: High
Complexity: Low
User Interaction: None
Remotely Exploitable: Yes
Proof of Concept: No public proof-of-concept reported
Zero Day: No

Workarounds:

CVE-2026-20079:  Restrict access to FMC management interfaces to trusted administrative networks until patches are applied

CVE-2026-20131: Restrict FMC management interface access to trusted networks; Apply vendor-provided updates as soon as possible

How it Works: Both vulnerabilities are based upon Remote Code Execution

CVE-2026-20079: The vulnerability occurs due to an improper system process created during FMC boot operations that allows crafted HTTP requests to bypass authentication and execute scripts with elevated privileges.

CVE-2026-20131: The vulnerability occurs when the FMC management interface deserializes attacker-controlled Java objects without proper validation, allowing malicious objects to execute arbitrary code on the system.

Post-Exploit Impact:

CVE-2026-20079:


  *   Authentication bypass leading to unauthorized administrative access (CWE:288)
  *   Remote command execution with root privileges (CWE:284)

CVE-2026-20131:


  *   Remote arbitrary code execution on the FMC appliance (CWE:502)
  *   Full system compromise through root privilege execution (CWE:284)

Indicators of Compromise (IoCs):

CVE-2026-20079:
Type
Value
Description / Notes
Network
Suspicious crafted HTTP requests targeting FMC management interface
Potential exploit attempts against the FMC web service

CVE-2026-20131:
Type
Value
Description / Notes
Network
Suspicious serialized payloads in HTTP requests to FMC interface
Potential remote code execution exploitation attempts

Tenable Plugins: As of March 5th, 2026, Tenable has not yet released plugin for either of these CVEs, however they are currently in the build and testing phase and will be released and automatically added to the plugin set for Tenable products when they become available.

Recommended Actions:

Date Added to KEV Catalog: Currently not added
Due Date for Remediation: Currently not added


  *   Apply workarounds if patching is not applied.
  *   Upgrade Cisco Secure Firewall Management Center to the latest vendor-supported release.
  *   Restrict administrative interface access to trusted management networks.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

[cid:image001.png at 01DCAC8E.DD0A1030]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260305/632ca46d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260305/632ca46d/attachment-0001.png>

More information about the CDP-development mailing list