Cisco on Thursday disclosed two different vulnerabilities in the web interface of its Secure Firewall Management Center that allow unauthenticated, remote attackers to execute code on affected machines.

Both are rated CVSS 10 and are patch-only, with no workarounds. 

Cisco said it was not aware of either being exploited in the wild. The flaws were discovered internally during what Cisco described only as "security testing," and neither were associated with customer reports.

System process, Java stream 

CVE-2026-20079 "is due to an improper system process that is created at boot time," Cisco says, and can be exploited with the right HTTP request. That escalates by way of "a variety of scripts and commands" that can be executed to root access. 

CVE-2026-20131 is caused by "insecure deserialization of a user-supplied Java byte stream," Cisco said. An attack would start with a serialized Java object sent to the web interface, with a path to arbitrary code execution and root privileges.  

Unpatched versions of Cisco Secure FMC are vulnerable regardless of configuration.

Firewall fiascos

The Cisco researchers behind the discoveries have been digging into its firewalls recently and for good reason.

Cisco was approached by "multiple government agencies" in May 2025 about a series of attack attempts against devices running their firewall, which Cisco researchers linked to the ArcaneDoor attack campaign the year prior. In September and November 2025, Cisco released updates that firewall-related vulnerabilities were being targeted by attackers.

Keane O'Kelley, credited with CVE-2026-20131, was behind a disclosure in September (triggered by a support case) about various bits of Cisco kit being vulnerable to crafted HTTP. 

Brandon Sakai, who is behind CVE-2026-20079, most recently featured in a Cisco advisory in August – with a report on a flaw allowing unauthenticated, remote shell command execution via Cisco Secure Firewall Management Center.

Years of Cisco Catalyst SD-WAN exploitation

In February we learnt, via the Five Eyes agencies, that advanced persistent threat (APT) actors exploited vulnerabilities in a different Cisco product for years.

See also: Five Eyes issues urgent warning over Cisco SD-WAN 0day exploitation

In that case, apparently CVE-2026-20127, the intelligence agencies said "since 2023, at least one malicious cyber actor compromised Cisco SD-WANs via a previously unknown vulnerability."

That vulnerability allowed unauthenticated, remote attackers to escalate to admin privileges, with a chain leading to root. 

See also: Critical Cisco vulnerability exploited. No patch yet. Attackers gain persistence

The link has been copied!