Cisco has released security updates to patch two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software.
Secure FMC is a web or SSH-based interface for admins to manage Cisco firewalls and configure application control, intrusion prevention, URL filtering, and advanced malware protection.
Both vulnerabilities can be exploited remotely by unauthenticated attackers: the authentication bypass flaw (CVE-2026-20079) allows attackers to gain root access to the underlying operating system, while the remote code execution (RCE) vulnerability (CVE-2026-20131) lets them execute arbitrary Java code as root on unpatched devices.
“An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device,” the CVE-2026-20079 advisory reads.
“An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root,” Cisco added about CVE-2026-20079.
While they both affect Cisco Secure FMC Software, CVE-2026-20131 also affects Cisco Security Cloud Control (SCC) Firewall Management, a cloud-based security policy manager that simplifies policy across Cisco firewalls and other devices.
At the moment, the company’s Product Security Incident Response Team (PSIRT) has no evidence that the two security flaws are exploited in attacks or that proof-of-concept (PoC) exploit code has been published online.
Today, Cisco has also patched dozens of other security vulnerabilities, including 15 high-severity security flaws in Secure FMC, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense software.
In August, Cisco fixed another maximum-severity Secure FMC flaw, warning that it allows unauthenticated remote attackers to inject arbitrary shell commands that are executed on unpatched devices.
More recently, in January, it released patches for a maximum-severity Cisco AsyncOS zero-day that has been exploited in attacks against secure email appliances since November and addressed a critical Unified Communications RCE that was also used in zero-day attacks.
Last month, it also patched a maximum-severity Catalyst SD-WAN authentication bypass flaw that was abused as a zero-day, allowing remote attackers to compromise controllers and add malicious rogue peers to targeted networks.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
