Full Report
Cisco security advisory (AV26-197)
Analysis Summary
# Vulnerability: Critical Flaws in Cisco Secure Firewall Management Center (FMC)
## CVE Details
- **CVE ID:** CVE-2026-20197 (Authentication Bypass) & CVE-2026-20198 (Remote Code Execution)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication) / CWE-94 (Code Injection)
## Affected Systems
- **Products:** Cisco Security Cloud Control (SCC) Firewall Management; Cisco Secure Firewall Management Center (FMC)
- **Versions:** All versions prior to the fixed releases indicated in the March 4, 2026 advisory.
- **Configurations:** Systems with web-based management interfaces accessible via the network.
## Vulnerability Description
This advisory addresses two primary critical flaws. The first is an **Authentication Bypass** vulnerability in the web-based management interface of the Cisco FMC. This flaw exists due to improper validation of tokens within the authentication framework, allowing a remote, unauthenticated attacker to gain full administrative access.
The second is a **Remote Code Execution (RCE)** vulnerability. By leveraging the initial bypass or via specific crafted HTTP requests to the management API, an attacker can execute arbitrary commands with root-level privileges on the underlying operating system.
## Exploitation
- **Status:** Not exploited (Current report indicates no known active exploitation in the wild at time of release).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to device configuration and managed credentials)
- **Integrity:** High (Ability to modify security policies and system files)
- **Availability:** High (Potential for complete system takeover or device bricking)
## Remediation
### Patches
Cisco has released software updates to address these vulnerabilities. It is recommended to migrate to the following fixed releases or later:
- **FMC Software Version 7.2.x:** Update to 7.2.11
- **FMC Software Version 7.4.x:** Update to 7.4.2.1
- **FMC Software Version 7.6.x:** Update to 7.6.1
### Workarounds
- **ACL Restriction:** Restrict access to the FMC management interface to trusted internal networks and VPNs only.
- **Port Disabling:** Ensure that the HTTPS (TCP 443) management port is not exposed to the public internet.
## Detection
- **Indicators of Compromise:** Look for unusual administrative logins from unexpected IP addresses in the FMC Audit Logs. Monitor for unauthorized "System Configuration" changes or unexpected shell access logs.
- **Detection Methods:** Security teams should use vulnerability scanners updated with the March 2026 Cisco definitions to identify unpatched assets.
## References
- Cisco Advisory (Auth Bypass): hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2
- Cisco Advisory (RCE): hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
- Canadian Centre for Cyber Security Bulletin: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/cisco-security-advisory-av26-197