CVE-2026-20079
Published: 04 March 2026
Summary
CVE-2026-20079 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Cisco Secure Firewall (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software stems from an improper system process created at boot time. The flaw, tracked as CVE-2026-20079 and assigned CWE-288, permits an unauthenticated remote attacker to bypass authentication controls and execute arbitrary script files, ultimately obtaining root access to the underlying operating system. It carries a maximum CVSS 3.1 score of 10.0 reflecting network attack vector, low complexity, and full impact across confidentiality, integrity, and availability in a changed scope.
An attacker can exploit the issue by sending crafted HTTP requests to an affected FMC device. Successful exploitation allows execution of a variety of scripts and commands that grant full root privileges on the host operating system without any prior authentication or user interaction.
The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2 addresses the issue and is the primary source for mitigation guidance and patch availability.
EPSS for the CVE rose from a lower baseline to a peak of 0.2102 with a current value of 0.1114, indicating emerging exploitation interest after disclosure that warrants renewed attention from defenders.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9438
Vulnerability details
A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system.…
more
This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote attackers to exploit the public-facing web interface (T1190) for arbitrary script execution and root access, directly facilitating exploitation for privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization decisions on the FMC web interface, blocking the unauthenticated crafted HTTP requests that bypass login to obtain root access.
Requires timely application of vendor patches that eliminate the improper boot-time process (CWE-288) enabling the authentication bypass and arbitrary script execution.
Mandates secure remote-access mechanisms and additional authentication controls for the FMC web interface, limiting exposure to the unauthenticated network attack vector.