And CVE-2026-20131 is described thusly: “An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.”
There are no workarounds for either if these vulnerabilities, Cisco said. However, for CVE-2026-20131, it noted, “If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.”
In short, if they can’t patch right now, admins should ensure that the FMC is not exposed until that happens.
Other vulnerabilities
Of the remaining flaws, a further six are rated ‘high’, with CVSS scores of between 7.2 and 8.6. These include the Firewall Management Center SQL injection vulnerabilities CVE-2026-20001, CVE-2026-20002, and CVE-2026-20003, all remotely exploitable by an authenticated attacker. Again, no workarounds are possible.
CVE-2026-20039, rated 8.6 (‘critical’), is a flaw affecting the VPN web server in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software which could allow an unauthenticated attacker to induce a denial of service state.
Additionally, CVE-2026-20082, also rated 8.6, could allow an unauthenticated attacker to cause incoming TCP SYN packets to be dropped incorrectly in the Cisco Secure Firewall Adaptive Security Appliance (ASA) Software.
