Cyber Resilience

CVE-2026-20079

Critical

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.3390 98.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-20079 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Cisco Secure Firewall (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software stems from an improper system process created at boot time. The flaw, tracked as CVE-2026-20079 and assigned CWE-288, permits an unauthenticated remote attacker to bypass authentication controls and execute arbitrary script files, ultimately obtaining root access to the underlying operating system. It carries a maximum CVSS 3.1 score of 10.0 reflecting network attack vector, low complexity, and full impact across confidentiality, integrity, and availability in a changed scope.

An attacker can exploit the issue by sending crafted HTTP requests to an affected FMC device. Successful exploitation allows execution of a variety of scripts and commands that grant full root privileges on the host operating system without any prior authentication or user interaction.

The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2 addresses the issue and is the primary source for mitigation guidance and patch availability.

EPSS for the CVE rose from a lower baseline to a peak of 0.2102 with a current value of 0.1114, indicating emerging exploitation interest after disclosure that warrants renewed attention from defenders.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system.…

more

This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability enables unauthenticated remote attackers to exploit the public-facing web interface (T1190) for arbitrary script execution and root access, directly facilitating exploitation for privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67998Shared CWE-288
CVE-2026-24206Shared CWE-288
CVE-2026-24359Shared CWE-288
CVE-2025-9967Shared CWE-288
CVE-2026-24207Shared CWE-288
CVE-2024-13446Shared CWE-288
CVE-2026-1618Shared CWE-288
CVE-2025-1671Shared CWE-288
CVE-2026-27390Shared CWE-288
CVE-2026-44574Shared CWE-288

Affected Assets

Cisco
Secure Firewall
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization decisions on the FMC web interface, blocking the unauthenticated crafted HTTP requests that bypass login to obtain root access.

prevent

Requires timely application of vendor patches that eliminate the improper boot-time process (CWE-288) enabling the authentication bypass and arbitrary script execution.

AC-17 Remote Access partial match
prevent

Mandates secure remote-access mechanisms and additional authentication controls for the FMC web interface, limiting exposure to the unauthenticated network attack vector.

References