Full Report
The vendor said it’s not aware of any active exploitation of the vulnerabilities, which could allow remote attackers to achieve root access and execute code. The post Cisco reveals 2 max-severity defects in firewall management software appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Critical Flaws in Cisco Secure Firewall Management Center (FMC)
## CVE Details
- **CVE ID:** CVE-2026-20079 and CVE-2026-20131
- **CVSS Score:** 10.0 (Critical / Maximum Severity)
- **CWE:**
- CVE-2026-20079: Authentication Bypass / Improper Process Creation
- CVE-2026-20131: Deserialization of Untrusted Data (Insecure Deserialization)
## Affected Systems
- **Products:** Cisco Secure Firewall Management Center (FMC) Software (formerly Firepower Management Center).
- **Versions:** Multiple versions are affected; customers are advised to check specific version compatibility in the vendor advisories.
- **Configurations:** The vulnerabilities affect the web-based management interface regardless of device configuration.
## Vulnerability Description
Cisco disclosed two distinct max-severity flaws in the FMC administrative interface:
1. **CVE-2026-20079:** This flaw stems from an improper system process created at boot time. An unauthenticated remote attacker can bypass authentication and execute script files on the underlying operating system.
2. **CVE-2026-20131:** This is a Java deserialization vulnerability. An attacker can send a specially crafted serialized Java object to the web-based management interface. This leads to remote code execution (RCE) with root-level privileges.
## Exploitation
- **Status:** Not exploited (No known active exploitation or public PoC at time of publication).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total (Root access allows full data exposure)
- **Integrity:** Total (Ability to execute arbitrary code and modify system files)
- **Availability:** Total (Attackers can disable or disrupt firewall management operations)
## Remediation
### Patches
Cisco has released fixed software versions as part of its biannual security advisory bundle. Users should migrate to:
- **Cisco Secure FMC Software fixed releases** (Consult the Cisco PSIRT advisories for specific version mapping).
### Workarounds
- **None:** No workarounds are available for either vulnerability. Administrative access should be restricted to trusted networks only until patches are applied.
## Detection
- **Indicators of Compromise:** Unusual script execution or unexpected system processes originating from the FMC boot cycle.
- **Detection methods and tools:** Monitoring web server logs for FMC for unauthorized access attempts or unusual Java-based POST requests. Reviewing system logs for unauthorized privilege escalation to root.
## References
- **Vendor Advisory (CVE-2026-20079):** hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2
- **Vendor Advisory (CVE-2026-20131):** hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
- **Cisco Biannual Update Summary:** hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/viewErp[.]x?alertId=ERP-75736