Week 10 – A Bitter Cup of Java: CVSS 10 RCE in Cisco FMC
02 – 08 Mar 2026
Our CVE of the Week is about Cisco Secure Firewall Management Center (FMC) Software, which is an administrative nerve center for managing critical Cisco network security solutions.
Critical vulnerability has been found with the CVSS score of 10 in CVE-2026-20131.
In the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software a vulnerability was found which could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.
This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.
Another vulnerability #CVE-2026-20079 is related when the attacker wants to bypass the authentication and execute script files on an affected device to obtain root access to the underlying operating system. An attacker could exploit by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.
How this could affect our system?
The attacker could steal sensitive information and could establish control over the software and could modify firewall rules, open backdoors, and disable other protection functions.
Cisco also mentioned that if the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.
What can we do against it?
Cisco already published the security disclosure and patches on their website; may you find it here and follow the instructions: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh#fs
White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.
With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.
They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.