Cisco Secure Firewall Management Center flaw lets remote attackers bypass login and reach root
3 min. read 
Published on
Cisco warned that a critical bug in Cisco Secure Firewall Management Center (FMC) can let a remote attacker bypass authentication through the web interface and then execute scripts and commands that lead to root access. The issue tracks as CVE-2026-20079 and carries a CVSS 10.0 rating.
Cisco says the vulnerability comes from an improper system process created at boot time. An attacker can trigger the bypass by sending crafted HTTP requests to the FMC management interface.
Cisco PSIRT says it has not seen active exploitation at the time of publication. That reduces panic, but it does not reduce urgency, because the bug enables full device takeover once an attacker reaches the management interface.
What attackers can do
If an attacker exploits CVE-2026-20079 successfully, they can:
- bypass the FMC login flow
- execute script files and system commands
- gain root-level control of the underlying operating system
That access can expose firewall policies, credentials, logs, and managed device relationships, depending on how you use FMC in your environment.
Key facts
| Item | Details |
|---|---|
| CVE | CVE-2026-20079 |
| Product | Cisco Secure Firewall Management Center (FMC) Software |
| Attack type | Remote authentication bypass via web interface |
| Impact | Script execution leading to root access |
| Root cause | Improper system process created at boot time |
| Exploit status | Cisco PSIRT reports no known malicious use at publication time |
| Workarounds | Cisco says no workarounds |
What Cisco confirmed about exposure
The issue affects on-premises FMC software releases regardless of device configuration, according to reporting that cites Cisco’s advisory language.
Security researchers also flagged a second CVSS 10.0 bug in the same March 2026 bundle, CVE-2026-20131, but CVE-2026-20079 stands out because it enables an authentication bypass path to root.
What to do now
- Upgrade FMC to a fixed release in your train. Cisco published updates, and Cisco says patching is the only reliable remediation path.
- Remove public internet access to the FMC management interface. This step reduces your attack surface until you finish patching.
- Use Cisco’s Software Checker to confirm the correct fixed version for your exact FMC release. CSO Online notes Cisco recommends the Software Checker or the compatibility tables.
- Review exposure now. Inventory where FMC listens, what networks can reach it, and which admin paths allow access.
Fast triage checklist
| Check | How to verify |
|---|---|
| Is FMC reachable from the internet? | Review firewall rules, NAT, reverse proxies, and cloud security groups |
| Do you expose the management UI broadly inside the enterprise? | Check segmentation and admin jump paths |
| Are you on a fixed train? | Use Cisco Software Checker, then validate installed FMC version |
| Do you see abnormal HTTP activity against FMC? | Hunt for unusual requests to the management interface, especially from unfamiliar source IPs |
FAQ
It is a critical Cisco FMC web interface flaw that can let an unauthenticated remote attacker bypass authentication and execute scripts that lead to root access.
Cisco PSIRT said it was not aware of malicious use at the time of publication.
Cisco says it has no workarounds for the issue, so you need to upgrade to a fixed release.
Yes. It reduces exposure immediately, but you still need to patch because internal access paths and lateral movement can still reach FMC.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages