Cisco Secure Firewall Management Center Software Remote Code Execution Vulnerability

Act Now10cisco-sa-fmc-rce-NKhnULJhMar 4, 2026

Cisco

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) allows an unauthenticated, remote attacker to execute arbitrary Java code with root privileges on the appliance. The vulnerability exists due to insecure deserialization of a user-supplied Java byte stream. An attacker could send a crafted serialized Java object to the FMC management interface and achieve remote code execution. Cisco has released software updates to address this vulnerability. If the FMC management interface does not have public internet access, the attack surface is reduced.

What this means

What could happen

An unauthenticated attacker who can reach the FMC management interface could execute arbitrary code with root privileges on your firewall management appliance, potentially compromising all managed firewalls and network visibility across your organization.

Who's at risk

Any organization running Cisco Secure Firewall Management Center (FMC) appliances, regardless of industry. FMC is the centralized management platform for Cisco firewalls (ASA, FTD), so compromise affects firewall configurations, logging, and security policy across your entire firewall estate. This is critical for utilities, municipalities, hospitals, and any enterprise using Cisco firewall infrastructure.

How it could be exploited

An attacker sends a crafted serialized Java object to the FMC web management interface port (typically 443). The vulnerable deserialization code executes the attacker's payload with root privileges, giving the attacker complete control of the FMC appliance.

Prerequisites

Network access to the FMC management interface (web port, typically 443)
No valid credentials required
FMC management interface reachable from the attacker's network (internet or internal)

remotely exploitableno authentication requiredlow complexitycritical severity (CVSS 10.0)affects security appliance with organizational scopepotential for supply-chain impact if FMC is compromised

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

Secure Firewall Management Center (FMC) AppliancesAll versionsFix available

Remediation & Mitigation

0/4

Do now

0/3

HOTFIXApply the Cisco software update to Secure Firewall Management Center to patch the deserialization vulnerability

WORKAROUNDRestrict network access to the FMC management interface to only authorized administrative workstations and jump hosts using firewall rules or network segmentation

HARDENINGIf the FMC management interface is currently internet-accessible, immediately move it behind a VPN or administrative access gateway

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGVerify that only trusted staff can reach the FMC management port (443) over the network; use ACLs and firewall rules to enforce this

CVEs (1)

CVE-2026-20131

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/81f5a9f7-ec6b-4d5b-8228-3583a10f34b5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.