Cisco warns of max severity Secure FMC flaws giving root access

Cisco has patched two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software. Both flaws can be exploited remotely by unauthenticated attackers, one granting root access via authentication bypass, the other allowing arbitrary Java code execution as root.

What happened

CVE-2026-20079 is an authentication bypass that lets attackers send crafted HTTP requests to gain root access to the underlying OS. CVE-2026-20131 is a remote code execution flaw triggered by sending a malicious serialized Java object to the web management interface.

Both affect Cisco Secure FMC Software. The RCE flaw also impacts Cisco Security Cloud Control (SCC) Firewall Management, their cloud-based policy manager.

Cisco says there is no evidence of active exploitation yet, and no public proof-of-concept code exists.

The bigger picture

This is the fourth maximum-severity Cisco firewall flaw in the past 8 months. In August 2025, Cisco patched an FMC flaw that allowed unauthenticated shell command injection. In January 2026, they fixed an AsyncOS zero-day that had been exploited since November. Last month, a Catalyst SD-WAN authentication bypass was being actively exploited as a zero-day.

The pattern is clear: firewall management interfaces are a high-value target. When attackers compromise the management plane, they own the entire security infrastructure.

WAFplanet take

Cisco Secure FMC is a network firewall management tool, not a WAF. But the lesson applies directly to WAF deployments. Your WAF management console is your most sensitive attack surface. If it is exposed to the internet without additional access controls, you are one unpatched CVE away from losing your entire security posture.

This is why Cloudflare, Imperva, and other cloud WAF providers invest heavily in securing their management APIs. For self-hosted WAFs like F5 Advanced WAF or Fortinet FortiWeb, keep management interfaces off the public internet and patch aggressively.