root access to the device.”And CVE-2026-20131 is described thusly: “An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.”There are no workarounds for either if these vulnerabilities, Cisco said. However, for CVE-2026-20131, it noted, “If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.”In short, if they can’t patch right now, admins should ensure that the FMC is not exposed until that happens. Of the remaining flaws, a further six are rated ‘high’, with CVSS scores of between 7.2 and 8.6. These include the Firewall Management Center SQL injection vulnerabilities CVE-2026-20001, CVE-2026-20002, and CVE-2026-20003, all remotely exploitable by an authenticated attacker. Again, no workarounds are possible.CVE-2026-20039, rated 8.6 (‘critical’), is a flaw affecting the VPN web server in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software which could allow an unauthenticated attacker to induce a denial of service state.Additionally, CVE-2026-20082, also rated 8.6, could allow an unauthenticated attacker to cause incoming TCP SYN packets to be dropped incorrectly in the Cisco Secure Firewall Adaptive Security Appliance (ASA) Software.The procedure for patching the flaws addressed in the March update varies depending on the software version installed. Cisco recommends using its software checker to determine the appropriate update. Alternatively, admins can consult the tables in the Cisco Secure Firewall Threat Defense Compatibility Guide.
Déjà vu: Critical-rated flaws and zero days have become a regular occurrence in Cisco patching rounds in the last couple of years, now almost seen as ‘zero-day events’ in themselves.Security teams will be reminded of last September’s emergency patches addressing similar web services flaws affecting Cisco’s Secure Firewall Adaptive Security Appliance (ASA) VPN and Cisco Secure Firewall Threat Defense (FTD) software.Of these, CVE-2025-20333 and CVE-2025-20362 were under zero-day exploitation, while the third, CVE-2025-20363, was seen as being under imminent threat. The attacks were serious enough that Cisco published an “event response” bulletin providing more detail on reported exploits and indicators of compromise.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4141268/cisco-issues-emergency-patches-for-critical-firewall-vulnerabilities.html
