On March 4, 2026, Cisco released fixes for two maximum-severity vulnerabilities impacting Cisco Secure Firewall Management Center (FMC), which is used to centrally manage Cisco Secure Firewall devices.
- CVE-2026-20079: An unauthenticated remote threat actor can exploit this to bypass authentication and execute scripts as root on unpatched devices by sending crafted HTTP requests. The vulnerability is due to an improperly created system process at boot.
- CVE-2026-20131: An unauthenticated remote threat actor can exploit this to execute arbitrary Java code as root on unpatched devices by sending a crafted serialized object to the web interface. The vulnerability is due to insecure deserialization.
Arctic Wolf has not observed threat actors exploiting these vulnerabilities, nor have any public proof-of-concept exploits been reported. Threat actors may attempt to reverse engineer the releases in the near future due to the potential level of access they could obtain upon compromising an unpatched device.
Recommendation for CVE-2026-20079 & CVE-2026-20131
Upgrade to Latest Fixed Release
Arctic Wolf strongly recommends that customers upgrade to the latest fixed release of Cisco FMC.
Customers can use Cisco’s Software Checker to verify if they are running an affected product and update to the fixed release.
- Note: CVE-2026-20131 also affects Cisco Security Cloud Control (SCC) Firewall Management; however, Cisco has upgraded the service as part of routine maintenance, and no user action is required.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
