Cisco has documented 48 vulnerabilities in its firewall ecosystem, including two critical findings that require immediate attention.
The affected Cisco technologies include:
- Adaptive Security Appliance (ASA), a traditional, stateful firewall
- Secure FTD (Firewall Threat Defense), a firewall combining ASA with advanced network traffic analysis features
- Secure Firewall Management Center (FMC), the centralized management system for the firewall and FTD products
Fixes are available for all 48 issues, and Cisco strongly recommends that organizations update to the latest software versions. The Netherlands Cyber Security Center (NCSC-NL) echoed this guidance in a March 4 security advisory, predicting that public proof-of-concept (PoC) inputs and widespread attempts to achieve unauthorized access may be imminent for the two critical bugs affecting the Secure FMC.
The disclosure includes nine high-severity findings based on the Common Vulnerability Scoring System (CVSS). These primarily consist of denial of service (DoS) conditions, along with SQL injection and unauthorized file access issues. The remaining 37 findings are categorized as medium severity and include additional DoS, command injection, and cross-site scripting (XSS) flaws.
Critical vulnerabilities in Cisco Secure FMC
While the volume of findings aligns with Cisco’s semi-annual disclosure schedule for these products, security teams should focus their immediate remediation efforts on the two vulnerabilities affecting the FMC web interface. Both findings carry a maximum CVSS severity score of 10.0.
The first, CVE-2026-20079, stems from a problematic system process created during boot time. By sending specifically tailored HTTP requests, unauthorized actors could bypass authentication and execute scripts and commands, granting them root access to the underlying operating system of the FMC.
The second, CVE-2026-20131, involves an insecure deserialization process. If a threat actor sends a specially crafted serialized Java object to the FMC's web-based management interface, they could remotely execute arbitrary code and potentially elevate their privileges to the root level.
Jeff Liford, associate director at Fenix24, notes that Cisco positions the FMC as the nerve center for unified firewall and threat management. Highlighting the severity, he compares these findings to a recent critical vulnerability in the Catalyst SD-WAN Controller (CVE-2026-20127) that was leveraged by sophisticated threat actors in targeted security incidents.
While unauthorized access to SD-WAN management affects enterprise routing between sites, Liford explains that unauthorized access to the FMC could allow a threat actor to undermine network security controls at a deeper level. A party with administrative access to the FMC could modify firewall rules, disable inspection controls, or push unsafe configurations across multiple devices simultaneously.
Securing the network edge
Targeting the network edge has been a recurring pattern since at least 2024, frequently driven by nation-state threat groups. These devices serve as highly effective entry points into enterprise environments.
Collin Hogue-Spears, senior director of solution management at Black Duck, explains that the return on a single management-plane access event exceeds what threat actors gain from numerous endpoint exposures, because the firewall does not just protect the network—it defines the network.
Vendors across the industry have faced ongoing challenges in securing edge infrastructure. Hogue-Spears points to data from VulnCheck indicating that more Known Exploited Vulnerabilities (KEVs) affected edge devices in 2025 than any other technology category. Similarly, Verizon's 2025 Data Breach Investigations Report (DBIR) recorded a near-eightfold increase in the zero-day targeting of edge devices in 2024 compared to 2023.
In February, the Cybersecurity and Infrastructure Security Agency (CISA) addressed this risk by issuing Binding Operational Directive (BOD) 26-02. The directive requires federal agencies to identify and remove all end-of-support firewall, router, and VPN gateways within 18 months.
"That directive did not come from theoretical risk modeling," Hogue-Spears notes. "It came from incident response data showing nation-state groups using Cisco, Fortinet, Palo Alto and Juniper devices as their primary initial access vector for two consecutive years."
Currently, many organizational security architectures lag behind this trend. Because most detection stacks rely on endpoint agents and SIEM correlation, edge devices often sit outside standard monitoring, generating independent logs and running opaque firmware that third-party tools cannot directly inspect.
To mitigate these risks, organizations are advised to run the Cisco Software Checker against their affected devices immediately and audit all edge infrastructure for outstanding vulnerabilities. Ensuring prompt updates and stringent access controls on management interfaces remains the most effective defense against unauthorized perimeter access.