Cisco has disclosed 48 vulnerabilities in its firewall ecosystem, two of which are as critical as vulnerabilities get.
They affect the following Cisco technologies:
-
Adaptive Security Appliance (ASA), a traditional, stateful firewall
-
Secure FTD (Firewall Threat Defense), a firewall that combines ASA with other, more advanced features
-
Secure Firewall Management Center (FMC), the centralized management system for the firewall and firewall threat defense products
All 48 issues come with fixes, and Cisco strongly recommends that customers update to the latest version software. That sentiment was echoed by The Netherlands Cyber Security Center (NCSC-NL) in its own security advisory on March 4. It predicted that public proof-of-concepts (PoC) and large-scale attempts at abuse may be incoming for the two critical bugs in the bunch, which impact the Secure FMC.
Nine more vulnerabilities in Cisco’s advisory earned “high” Common Vulnerability Scoring System (CVSS) scores. For the most part, these are denial of service (DoS) bugs, though they also include SQL injection and unauthorized file access issues. The rest of the batch — more DoS bugs, command injection, and cross-site scripting (XSS) flaws, among others — are considered to be of medium severity.
Critical Vulnerabilities in Cisco Secure FMC
The sheer number of vulnerabilities disclosed this week shouldn’t cause too much brouhaha. Cisco reveals a flood of new ones affecting this trio of products on a semi-annual schedule. Of more concern is a pair of those vulnerabilities that affect the FMC Web interface.
There’s CVE-2026-20079, caused by a problematic system process created at boot time. With tailored HTTP requests, attackers could bypass authentication and execute scripts and commands that allow them root access to the FMC’s underlying operating system (OS).
Then there’s CVE-2026-20131, an insecure deserialization issue. If an attacker sends a specially crafted serialized Java object to the FMC’s Web-based management interface, they could remotely execute arbitrary code and potentially elevate their privileges to the root level.
CVE-2026-20079 and CVE-2026-20131 have both earned the highest possible 10 out of 10 severity score in the CVSS scale.
“Cisco effectively positions FMC as the ‘nerve center’ for unified firewall and threat management,” Jeff Liford, associate director at Fenix24, points out. To hammer home just how significant these issues are, he compares them to Cisco’s other 10 out of 10 vulnerability that made the rounds last week, in the Catalyst SD-WAN Controller. That zero-day flaw, CVE-2026-20127, was exploited by an unknown but sophisticated threat actor in targeted attacks.
“Where a compromise of SD-WAN management could give attackers control of enterprise routing between sites, compromise of FMC could allow an attacker to undermine network security controls at a much deeper level,” Liford says. “An attacker with administrative access to FMC could potentially modify firewall rules, disable inspection controls, or push malicious configurations across multiple devices simultaneously.”
Edge Attacks Outpace Defenses
Cyberattacks at the network edge have been in vogue since at least 2024, led by nation-state threat groups, particularly those aligned with China.
In part, that’s because these devices are naturally such good entry points into networks. “The return on a single management-plane compromise exceeds what you get from a hundred endpoint compromises,” says Collin Hogue-Spears, senior director of solution management at Black Duck, “because the firewall does not just protect the network. It defines the network.”
Vendors in this space have also had immense trouble clamping down on security holes in their products. Hogue-Spears points out that more known exploited vulnerabilities (KEVs) affected edge devices in 2025 than any other technology, according to VulnCheck.
Even more strikingly, Verizon’s 2025 Data Breach Investigations Report (DBIR) found a near-eightfold increase in zero-day exploitation of edge devices in 2024 compared to 2023. And in February, the Cybersecurity and Infrastructure Security Agency (CISA) tried to get a handle on its edge problems with the Binding Operational Directive (BOD) 26-02, which ordered federal agencies to find and scrap all end-of-support firewall, router, and VPN gateways within 18 months.
“That directive did not come from theoretical risk modeling. It came from incident response data showing nation-state groups using Cisco, Fortinet, Palo Alto, Ivanti, and Juniper devices as their primary initial access vector for two consecutive years,” Hogue-Spears says.
In his view, most organizations are not keeping pace with the problem. “Defenders built their entire detection stack around endpoint agents and SIEM correlation. Edge devices sit outside that stack, generate their own logs, and run opaque firmware that no third-party tool can inspect,” he says. “Until that architecture changes, firewalls and edge appliances will remain the preferred front door.”
Hogue-Spears recommends that organizations run the Cisco Software Checker against affected devices as soon as possible, and review which other devices at the edge of their networks might be at risk: “An unpatched firewall is an unlocked door with a welcome mat.”
