And CVE-2026-20131 is described thusly: “An attacker might exploit this vulnerability by sending a crafted serialized Java object to the web-based administration interface of an affected gadget. A profitable exploit might enable the attacker to execute arbitrary code on the gadget and elevate privileges to root.”
There are not any workarounds for both if these vulnerabilities, Cisco stated. Nevertheless, for CVE-2026-20131, it famous, “If the FMC administration interface doesn’t have public web entry, the assault floor that’s related to this vulnerability is lowered.”
Briefly, if they will’t patch proper now, admins ought to be certain that the FMC is just not uncovered till that occurs.
Different vulnerabilities
Of the remaining flaws, an extra six are rated ‘excessive’, with CVSS scores of between 7.2 and eight.6. These embody the Firewall Administration Middle SQL injection vulnerabilities CVE-2026-20001, CVE-2026-20002, and CVE-2026-20003, all remotely exploitable by an authenticated attacker. Once more, no workarounds are potential.
CVE-2026-20039, rated 8.6 (‘vital’), is a flaw affecting the VPN internet server in Cisco Safe Firewall Adaptive Safety Equipment (ASA) Software program and Cisco Safe Firewall Risk Protection (FTD) Software program which might enable an unauthenticated attacker to induce a denial of service state.
Moreover, CVE-2026-20082, additionally rated 8.6, might enable an unauthenticated attacker to trigger incoming TCP SYN packets to be dropped incorrectly within the Cisco Safe Firewall Adaptive Safety Equipment (ASA) Software program.
