What are CVE-2026-20079 and CVE-2026-20131?
Cisco has disclosed two critical vulnerabilities in Cisco Secure Firewall Management Center (FMC) affecting on-premises deployments only. CVE-2026-20079 is an authentication bypass caused by an improperly configured boot-time process.
A remote attacker can send crafted HTTP requests, bypass authentication, and execute script files as root. CVE-2026-20131 is a separate flaw in the web management interface caused by insecure deserialization of Java byte streams. A remote attacker can send a crafted serialized Java object and execute arbitrary code as root. Cisco assigned both vulnerabilities a CVSS score of 10.0, and both are remote, pre-authentication, and low complexity. Cisco also states that no workarounds are available for either issue.
These vulnerabilities matter because FMC is the management plane for Cisco Secure Firewall environments. A successful compromise can give an attacker control of the FMC itself and create downstream risk across managed FTD devices, including policy manipulation, administrative disruption, and loss of trust in management-plane integrity.
As of March 9, 2026, Cisco’s advisories do not state confirmed in-the-wild exploitation, and these CVEs do not appear in the CISA Known Exploited Vulnerabilities catalog materials reviewed for this post.
What assets are affected by CVE-2026-20079 and CVE-2026-20131?
The affected product is Cisco Secure Firewall Management Center, formerly Cisco Firepower Management Center, in on-premises deployments only. Cisco states that Cloud-Delivered FMC, Cisco ASA, Cisco FTD, and Security Cloud Control are not affected by these two vulnerabilities.
Affected versions:
- CVE-2026-20079
- 6.4.0.13 through 7.0.9
- 7.1.0 through 7.2.11
- 7.3.0 through 7.4.6
- 7.6.0 through 7.6.5
- 7.7.0 through 7.7.12
- 10.0.0 through 10.0.1
- CVE-2026-20131
- 6.4.0.13 through 6.4.0.18
- 7.0.0 through 7.0.8.1
- 7.1.0 through 7.1.0.3
- 7.2.0 through 7.2.10.2
- 7.3.0 through 7.3.1.2
- 7.4.0 through 7.4.5
- 7.6.0 through 7.6.4
- 7.7.0 through 7.7.11
- 10.0.0
The highest-risk deployments are FMC instances whose management interfaces are externally reachable or exposed to untrusted networks. Because FMC is a centralized management platform, compromise has broader operational impact than compromise of a single administrative host. Cisco explicitly notes for CVE-2026-20131 that removing public internet access from the FMC management interface reduces the associated attack surface.
What does our data show about exposure patterns?
For Cisco Secure Firewall Management Center, the main exposure concern is the management interface being externally reachable or exposed to untrusted network segments. Because both vulnerabilities are unauthenticated and remote, any unnecessary exposure of the management plane increases risk.
Common exposure drivers include misconfigured access controls, inherited legacy administrative paths, cloud security group drift, weak segmentation, and insufficient monitoring of management infrastructure. In this case, the risk is higher because compromise of FMC can affect downstream firewall administration and policy integrity.
Are fixes available?
Yes. Cisco has released software updates for both vulnerabilities. No workarounds are available. Organizations should follow Cisco’s remediation guidance for the affected release train in use and treat these vulnerabilities as a high-priority patching event. Because the flaws affect the management plane, remediation should be prioritized ahead of lower-impact issues on managed devices.
Are there any other recommended actions to take?
- Inventory all Cisco FMC deployments and confirm which versions are in scope.
- Identify externally reachable or untrusted-network-exposed FMC interfaces.
- Restrict administrative access to trusted networks only.
- Prioritize patching exposed FMC instances first.
- Review FMC authentication, configuration, and administrative logs for unusual access, unexpected script execution, or unexplained policy activity.
- Look for signs of management-plane misuse, including unauthorized policy pushes, unexplained configuration changes, new administrative artifacts, or suspicious root-level activity.
- If an exposed FMC instance may have been targeted, perform a compromise assessment and review downstream FTD policy integrity and recent configuration history.
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-20079 and CVE-2026-20131 in the CyCognito platform and is actively researching enhanced detection capabilities for these vulnerabilities.
To learn more about how CyCognito can help your organization protect against these vulnerabilities, contact us for a demo.
