CISCO has patched two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) that could allow attackers to gain root access to managed firewalls. The issues are CVE-2026-20079, a authentication bypass with a CVSS score of 10.0, and CVE-2026-20131, a remote code execution flaw also rated 10.0, both affecting the web interface of Cisco Secure FMC.
The authentication bypass could let unauthenticated remote attackers bypass authentication and execute scripts to obtain root access, while the RCE flaw results from insecure Java deserialization and could let an attacker run arbitrary code as root by sending a crafted serialized object. According to Cisco Security Advisory, there are no workarounds for these flaws and the company PSIRT is not aware of any public disclosure or active exploitation.
The FMC vulnerability set also extends to Cisco Security Cloud Control (SCC) Firewall Management for CVE-2026-20131. Follow-up guidance from Cisco emphasises that exploiting these would elevate privileges to root on affected devices.