Cisco issues emergency patches for two root‑level Secure FMC flaws

Cisco on March 4 released emergency security updates to fix two maximum‑severity vulnerabilities in its Secure Firewall Management Center (Secure FMC) that could allow attackers to obtain root‑level control of firewall management systems. The flaws, tracked as CVE‑2026‑20079 and CVE‑2026‑20131, strike at the central interface used to administer firewall policies, intrusion prevention, URL filtering and advanced malware protections.

Cisco warned that CVE‑2026‑20079 can be triggered by "sending a crafted serialized Java object to the web‑based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root." The second flaw, CVE‑2026‑20131, also affects Cisco Security Cloud Control (SCC) Firewall Management, a cloud‑based policy manager, and is described as similarly capable of allowing attackers to bypass authentication and gain full root‑level control.

Because Secure FMC is a web or SSH‑based central management hub, compromise of the appliance could have cascading effects across enterprise networks. If an attacker gains control of the management system, they may be able to modify firewall policies, disable security protections, deploy malicious network rules, intercept or redirect traffic, or install persistent backdoors — actions that could neutralize perimeter defenses and permit prolonged lateral movement inside corporate environments.

Cisco’s Product Security Incident Response Team (PSIRT) said it has "no evidence that the two security flaws are exploited in attacks or that proof‑of‑concept (PoC) exploit code has been published online." Nonetheless, the company released fixes alongside a broader set of updates that address dozens of additional vulnerabilities; the March 4 release includes multiple high‑severity patches across Secure FMC, Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense software.

Security vendors and incident responders urged rapid action. Arctic Wolf "strongly recommends that customers upgrade to the latest fixed release." Field‑effect responders noted that for recent critical Cisco fixes "no workarounds exist, patching required," and that managed detection and response clients had already received remediation guidance and incident response orders.

The patches arrive amid an intense period of fixes for Cisco products. Cisco has moved quickly since mid‑2025 to remediate several high‑impact bugs, including a maximum‑severity Secure FMC issue fixed in August 2025 and multiple zero‑day patches earlier this year for AsyncOS and Unified Communications components that were exploited in active campaigns. In September 2025 the U.S. Cybersecurity and Infrastructure Security Agency issued Emergency Directive 25‑03, requiring federal agencies to patch exploited ASA and FTD vulnerabilities and follow compromise assessment procedures, underscoring the potential national‑security implications of firewall‑management flaws.

Administrators should treat the March 4 updates as urgent. Apply Cisco’s fixed releases for Secure FMC and SCC Firewall Management immediately and follow vendor guidance for post‑patch verification and monitoring. Organizations running centralized firewall management should assume elevated risk until systems are updated and should review logs and configuration changes for signs of unauthorized access during the window before patches were applied.