A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.
The vulnerability results from unsafe deserialization of a Java byte stream supplied by the user (CWE-502). The attacker sends a crafted, serialized Java object to the management web interface of the vulnerable device. The lack of authentication required to perform the attack and the absence of network restrictions (if the interface is accessible from the internet) make exploitation exceptionally simple. Successful exploitation of the vulnerability leads to arbitrary code execution and privilege escalation to root level.
Attackers gain full control of the device with root privileges, enabling execution of arbitrary commands, theft of configuration data, modification of firewall security policies, and potential lateral movement in the victim's network.
Patches available from the vendor must be applied immediately in accordance with the official Cisco Security Advisory (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh). As an interim measure to reduce attack surface, ensure that the FMC management interface is not accessible from the public internet — according to the vendor's recommendation, this limits exploitation risk.
Cisco Secure Firewall Management Center (FMC) Software — specific versions indicated in vendor references (Cisco Security Advisory cisco-sa-fmc-rce-NKhnULJh)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCisco Secure Firewall Management Center
APPCisco10.0.06.4.0.136.4.0.146.4.0.156.4.0.166.4.0.176.4.0.187.0.07.0.0.17.0.17.0.1.17.0.27.0.2.17.0.37.0.4+ 56 więcej
CISA KEV — detailsi
- Vendori
- Cisco ↗
- Producti
- Secure Firewall Management Center (FMC)
- Added to KEVi
- March 19, 2026
- Remediation deadline (US Federal)i
- March 22, 2026(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.
Related vulnerabilities
RCE przez RADIUS w Cisco Secure Firewall Management Center
Command injection w Cisco Secure Firewall Management Center — RCE jako root
A vulnerability in the web services interface of Cisco Firepower Management Center (FMC) Software could allow ...
A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow a...
Multiple vulnerabilities in Cisco Firepower Management Center (FMC) Software and Cisco Firepower User Agent So...