Cisco Alert: Two critical vulnerabilities in FMC and SCC could provide root access and remote code execution

Cisco has published security updates to correct two maximum-gravity vulnerabilities in its Secure Firewall Management Center (FMC) software, the console that administrators use via web or SSH to manage firewalls, application policies, intrusion prevention, URL filtering and advanced malware protection. These are failures that can be used remotely and without authentication, so the priority of parking is high.

The first failure, identified as CVE-2026-20079, allows an attacker to circumvent authentication controls and get root access to the underlying operating system by handling HTTP requests. The second, CVE-2026-20131, is a remote code execution vulnerability that exploits the demerialization of Java objects on the web interface, allowing arbitrary code execution with root privileges. Both failures allow, in theory, an attacker to execute commands or scripts that would completely compromise the affected device.

In addition to affecting the Secure FMC on-premises software, the CVE-2026-20131 failure also impacts Cisco Security Cloud Control (SCC) Firewall Management, the cloud variant of policy management. Cisco has published the official solutions and recommendations in its security notices and, for now, its Product Security Incident Response Team (PSIRT) has found no evidence of active exploitation or public availability of concept tests. The technical information and mitigation instructions are available on the Cisco Notices page: list of publications and patches.

This announcement comes in a context of continuous activity: Cisco has deployed patches for other vulnerabilities recently, and in previous months had already corrected maximum severity failures in different products, some of them exploited as zero-days. The frequency of these corrections recalls that teams that manage critical infrastructure must maintain very strict policies of patching and segmentation of access to management.

From the operational perspective, the first and most obvious measure is to apply the updates published by Cisco as soon as possible. If for operational reasons it cannot be updated immediately, it is recommended to restrict access to the FMC management interface only to reliable management networks, using access control lists, VPN tunnels and firewall rules that limit the origin of the connections. It is also appropriate to activate and review the detailed log of access and alerts to detect suspicious HTTP requests or deerialization attempts that may indicate exploitation.

Risk management does not end with the patch: it is appropriate to review credentials and keys used by the system, rotate them if there are doubts, and validate integrity of settings and backup before and after the update. For those who want to deepen good patch management and vulnerability response practices, reference documents such as the NIST patch management guide provide a solid framework: NIST SP 800-40r3.

If you need to check the technical detail of each failure, the CVE-associated inputs on public bases provide additional information and cross-references. Link to NVD tab for CVE-2026-20079: NVD - CVE-2026-20079 and for CVE-2026-20131: NVD - CVE-2026-20131.

In short, if your organization uses Secure FMC or SCC Firewall Management, make these updates an operational priority. Maintaining up-to-date devices, limiting access to management consoles and actively monitoring the environment significantly reduce the likelihood that a vulnerability will become a security gap with greater impact.