CVE-2026-20079
Cisco Secure Firewall Management Center Authentication Bypass Vulnerability
A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system. Cisco rates the issue Critical with a CVSS v3.1 score of 10.0. Cisco says the flaw is due to an improper system process that is created at boot time, and that an attacker could exploit it by sending crafted HTTP requests to an affected device.
Technical Details
Cisco describes CVE-2026-20079 as an authentication bypass vulnerability in the FMC web interface. The flaw exists because of an improper system process created at boot time. An attacker does not need credentials or user interaction. By sending crafted HTTP requests to a vulnerable FMC instance, the attacker can bypass authentication and execute script files that result in root access on the device. NVD mirrors Cisco’s description and lists the weakness as CWE-288: Authentication Bypass Using an Alternate Path or Channel.
Stop Guessing, Start Proving
NodeZero® Proactive Security Platform — Rapid Response
The Rapid Response test in NodeZero is designed to help security teams answer the question that matters most: is this actually exploitable in our environment? For CVE-2026-20079, the test can be used to validate exposure before remediation and confirm the issue is no longer exploitable after the fix is applied.
- Run the Rapid Response test
Use NodeZero to verify whether the FMC instance is susceptible to unauthenticated authentication bypass leading to root-level access. - Patch immediately
Cisco has released fixed software for affected Cisco Secure FMC releases and states that no workarounds are available. Cisco also recommends using its Software Checker to determine exposure and fixed releases for specific deployments. - Re-run the Rapid Response test
After patching, re-test to confirm the vulnerability is no longer exploitable and that remediation was effective.
Indicators of Compromise
Cisco’s advisory for CVE-2026-20079 does not publish a set of public forensic indicators such as IPs, hashes, or filenames. What Cisco does provide is related detection content in the form of Snort rules 66075–66080 tied to the advisory. Where available, defenders should also review web-interface access logs and device audit data for suspicious crafted HTTP requests targeting FMC management interfaces. That last recommendation is a defensive inference based on Cisco’s stated exploit path, not a vendor-published IoC list.
Affected versions & patch
Cisco states that this vulnerability affects Cisco Secure FMC Software, regardless of device configuration. Cisco also states that the following products are not affected by this vulnerability:
- Cloud-Delivered FMC (cdFMC)
- Secure Firewall Adaptive Security Appliance (ASA) Software
- Secure Firewall Threat Defense (FTD) Software
- Security Cloud Control (SCC), formerly Defense Orchestrator
Cisco has released fixed software and says there are no workarounds that address this issue. Cisco directs customers to the Fixed Software section of the advisory and the Cisco Software Checker to identify the correct remediation path for their installed release. A third-party government advisory summarizing Cisco’s bulletin lists many affected FMC releases across the 6.4, 7.0, 7.1, 7.2, 7.3, 7.4, 7.6, 7.7, and 10.0 branches, but for publication accuracy, organizations should still treat Cisco’s advisory as the authoritative source for exact fixed-version mapping.
References
- Cisco Security Advisory: Cisco Secure Firewall Management Center Software Authentication Bypass Vulnerability
- NIST National Vulnerability Database: CVE-2026-20079
- Cyber Security News: Cisco Secure Firewall Management Vulnerability Allow Attackers to Bypass Authentication
At the time of disclosure, Cisco and multiple security outlets reported no evidence of active exploitation or public proof-of-concept code.
