Full Report
Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for remote code execution. Cisco Secure Firewall Management Center (FMC) is a centralized management platform for Cisco firewalls.Cisco Secure Firewall Adaptive Security Appliance (ASA) Software is the core operating system that powers the Cisco ASA family of firewalls.Cisco Secure Firewall Threat Defense (FTD) is a unified software image for Cisco Firepower appliances that combines ASA firewall functionality with Snort IPS, URL filtering, and advanced malware protection (AMP).Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution as root, which may lead to the complete compromise of the affected device.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Cisco Secure Firewall Management Center and ASA/FTD Software
## CVE Details
- **CVE ID:** CVE-2026-20079, CVE-2026-20131 (Primary RCE flaws); CVE-2026-20101, CVE-2026-20103, CVE-2026-20100, CVE-2026-20105, CVE-2026-20106, CVE-2026-20039 (Secondary DoS flaws).
- **CVSS Score:** Up to 10.0 (Critical)
- **CWE:** CWE-502 (Insecure Deserialization), Improper System Process Creation.
## Affected Systems
- **Products:**
- Cisco Secure Firewall Management Center (FMC)
- Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
- Cisco Secure Firewall Threat Defense (FTD) Software
- **Versions:**
- FMC: Versions prior to 10.0.1
- ASA: Versions prior to 9.23.1.26
- FTD: Versions prior to 7.7.11
- **Configurations:** Web-based management interface enabled (FMC); Remote Access SSL VPN, HTTP management, or MUS functionalities enabled (ASA/FTD).
## Vulnerability Description
The most critical vulnerabilities reside in the **Cisco FMC web interface**:
1. **CVE-2026-20079:** An improper system process created at boot time allows unauthenticated attackers to bypass authentication and execute script files via crafted HTTP requests.
2. **CVE-2026-20131:** Insecure deserialization of user-supplied Java byte streams allows unauthenticated attackers to execute arbitrary Java code.
Additional vulnerabilities in **ASA and FTD** involve memory exhaustion and logic errors in the Remote Access SSL VPN and Lua interpreter components, leading to unexpected reloads or Denial of Service (DoS) conditions.
## Exploitation
- **Status:** Not exploited in the wild (as of advisory date); no public PoC currently reported.
- **Complexity:** Low (for RCE via web interface).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** Total (Root access to underlying OS).
- **Integrity:** Total (Ability to modify system files and configurations).
- **Availability:** Total (Complete compromise or persistent Denial of Service).
## Remediation
### Patches
Cisco has released the following software updates to address these vulnerabilities:
- **Cisco FMC:** Upgrade to version **10.0.1** or later.
- **Cisco ASA:** Upgrade to version **9.23.1.26** or later.
- **Cisco FTD:** Upgrade to version **7.7.11** or later.
### Workarounds
No specific workarounds were provided in the advisory for the RCE vulnerabilities. It is strongly recommended to restrict access to management interfaces to trusted internal networks only.
## Detection
- **Indicators of Compromise:** Monitor for unusual HTTP POST requests to the FMC web management interface. Look for unauthorized script execution or unfamiliar Java-related processes running under the `root` user.
- **Detection Methods:** Review system logs for unexpected device reboots (DoS) or memory exhaustion alerts in ASA/FTD appliances.
## References
- hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-2026
- hxxps[://]sec[.]cloudapps[.]cisco[.]com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-vpn-dos
- hxxps[://]portal[.]cisecurity[.]org/advisory/2026-018