Cisco has handed security teams one of the largest ever patching workloads affecting its firewall products, including fixes for two ‘perfect 10’ vulnerabilities in the company’s Secure Firewall Management Center (FMC) Software.
Overall, the March 4 release, the first of its semiannual firewall updates for 2026, addresses 25 security advisories covering 48 individual CVEs.
The biggest concerns will be the FMC flaws, CVE-2026-20079 and CVE-2026-20131, the first of which is an authentication bypass weakness, and the second involving insecure deserialization. Both are rated ‘critical’ with maximum CVSS scores of 10.
The weaknesses relate to the platform’s web management interface and give unauthenticated root access. This will make them big targets for attackers using reverse engineering tools to reveal the workings of the underlying flaws.
This hasn’t happened yet – neither has been reported as being under exploitation – but there is no question attackers will quickly pounce on them if they can.
Cisco said of CVE-2026-20079: “An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.”
And CVE-2026-20131 is described thusly: “An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.”
There are no workarounds for either if these vulnerabilities, Cisco said. However, for CVE-2026-20131, it noted, “If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.”
In short, if they can’t patch right now, admins should ensure that the FMC is not exposed until that happens.
Other vulnerabilities
Of the remaining flaws, a further six are rated ‘high’, with CVSS scores of between 7.2 and 8.6. These include the Firewall Management Center SQL injection vulnerabilities CVE-2026-20001, CVE-2026-20002, and CVE-2026-20003, all remotely exploitable by an authenticated attacker. Again, no workarounds are possible.
CVE-2026-20039, rated 8.6 (‘critical’), is a flaw affecting the VPN web server in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software which could allow an unauthenticated attacker to induce a denial of service state.
Additionally, CVE-2026-20082, also rated 8.6, could allow an unauthenticated attacker to cause incoming TCP SYN packets to be dropped incorrectly in the Cisco Secure Firewall Adaptive Security Appliance (ASA) Software.
The procedure for patching the flaws addressed in the March update varies depending on the software version installed. Cisco recommends using its software checker to determine the appropriate update. Alternatively, admins can consult the tables in the Cisco Secure Firewall Threat Defense Compatibility Guide.
Déjà vu
Critical-rated flaws and zero days have become a regular occurrence in Cisco patching rounds in the last couple of years, now almost seen as ‘zero-day events’ in themselves.
Security teams will be reminded of last September’s emergency patches addressing similar web services flaws affecting Cisco’s Secure Firewall Adaptive Security Appliance (ASA) VPN and Cisco Secure Firewall Threat Defense (FTD) software.
Of these, CVE-2025-20333 and CVE-2025-20362 were under zero-day exploitation, while the third, CVE-2025-20363, was seen as being under imminent threat. The attacks were serious enough that Cisco published an “event response” bulletin providing more detail on reported exploits and indicators of compromise.