Overview
- The bugs, CVE-2026-20079 (authentication bypass) and CVE-2026-20131 (insecure Java deserialization RCE), allow unauthenticated remote attackers to obtain root access on affected FMC systems.
- Cisco PSIRT says it has no evidence of active exploitation or public proof‑of‑concept code for these defects at publication time.
- CVE-2026-20131 also affects Cisco Security Cloud Control (SCC) Firewall Management, extending exposure beyond on‑prem FMC.
- The fixes arrived March 4 within a bundled release of 25 advisories covering 48 vulnerabilities across ASA, FMC and FTD products.
- Cisco characterizes FMC as the administrative nerve center for firewall policy and warns risk increases when management interfaces are internet‑exposed.