MEDIUMCVE-2026-20044CVSS 6

CVE-2026-20044: Command Injection in Cisco Secure Firewall FMC

Platform

cisco

Component

cisco-secure-firewall-management-center-fmc

Fixed in

6.4.1

7.0.1

7.0.2

7.1.1

6.4.1

7.0.2

6.4.1

7.1.1

7.0.3

6.4.1

7.2.1

7.0.3

7.0.4

7.1.1

7.2.1

7.0.5

7.2.2

7.0.6

6.4.1

7.3.1

7.2.3

7.3.2

7.2.4

7.1.1

7.2.4

7.2.5

7.0.7

7.2.5

7.2.6

7.3.2

7.4.1

6.4.1

7.0.7

7.2.6

7.4.2

7.2.7

7.4.2

7.0.7

6.4.1

7.2.8

7.2.6

7.3.2

7.2.9

7.6.1

7.4.3

7.2.9

7.0.7

7.4.3

7.2.10

7.0.8

7.7.1

7.4.3

7.2.11

7.6.2

7.4.3

7.0.9

7.6.3

7.7.11

7.2.11

7.0.9

7.6.3

7.2.11

7.7.11

7.4.3

7.4.4

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-20044 describes a Command Injection vulnerability within the Cisco Secure Firewall Management Center (FMC) Software. This flaw allows an authenticated, local attacker to execute arbitrary commands with root privileges, potentially leading to complete system takeover. The vulnerability impacts FMC versions 6.4.0 through 7.7.10.1, and Cisco has released updates to address the issue.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-20044 grants an attacker root access to the affected Cisco Secure Firewall Management Center. This level of access allows for complete control over the system, including the ability to install malware, modify configurations, steal sensitive data, and potentially pivot to other systems on the network. The ability to execute commands as root significantly expands the attack surface and increases the potential for widespread damage. Given the FMC's role in managing and configuring firewalls, a compromised FMC could lead to a complete breach of network security, allowing attackers to bypass firewall rules and gain access to internal resources.

Exploitation Context

CVE-2026-20044 was publicly disclosed on March 4, 2026. The vulnerability's impact stems from the ability to execute commands as root, similar to other privilege escalation vulnerabilities. Currently, there are no publicly available exploits, and it is not listed on the CISA KEV catalog. The EPSS score is pending evaluation, but the potential for root access suggests a medium to high probability of exploitation if a suitable exploit is developed and released.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureLow

EPSS

0.01% (3% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentcisco-secure-firewall-management-center-fmc

VendorCisco

Affected rangeFixed in

6.4.0.6 – 6.4.0.66.4.1

6.4.0.7 – 6.4.0.76.4.1

6.4.0.4 – 6.4.0.46.4.1

6.4.0.1 – 6.4.0.16.4.1

6.4.0.8 – 6.4.0.86.4.1

6.4.0.2 – 6.4.0.26.4.1

6.4.0.3 – 6.4.0.36.4.1

6.4.0.5 – 6.4.0.56.4.1

6.4.0 – 6.4.06.4.1

6.4.0.9 – 6.4.0.96.4.1

6.4.0.10 – 6.4.0.106.4.1

6.4.0.11 – 6.4.0.116.4.1

6.4.0.12 – 6.4.0.126.4.1

7.0.0 – 7.0.07.0.1

7.0.0.1 – 7.0.0.17.0.1

7.0.1 – 7.0.17.0.2

7.1.0 – 7.1.07.1.1

6.4.0.13 – 6.4.0.136.4.1

7.0.1.1 – 7.0.1.17.0.2

6.4.0.14 – 6.4.0.146.4.1

7.1.0.1 – 7.1.0.17.1.1

7.0.2 – 7.0.27.0.3

6.4.0.15 – 6.4.0.156.4.1

7.2.0 – 7.2.07.2.1

7.0.2.1 – 7.0.2.17.0.3

7.0.3 – 7.0.37.0.4

7.1.0.2 – 7.1.0.27.1.1

7.2.0.1 – 7.2.0.17.2.1

7.0.4 – 7.0.47.0.5

7.2.1 – 7.2.17.2.2

7.0.5 – 7.0.57.0.6

6.4.0.16 – 6.4.0.166.4.1

7.3.0 – 7.3.07.3.1

7.2.2 – 7.2.27.2.3

7.3.1 – 7.3.17.3.2

7.2.3 – 7.2.37.2.4

7.1.0.3 – 7.1.0.37.1.1

7.2.3.1 – 7.2.3.17.2.4

7.2.4 – 7.2.47.2.5

7.0.6 – 7.0.67.0.7

7.2.4.1 – 7.2.4.17.2.5

7.2.5 – 7.2.57.2.6

7.3.1.1 – 7.3.1.17.3.2

7.4.0 – 7.4.07.4.1

6.4.0.17 – 6.4.0.176.4.1

7.0.6.1 – 7.0.6.17.0.7

7.2.5.1 – 7.2.5.17.2.6

7.4.1 – 7.4.17.4.2

7.2.6 – 7.2.67.2.7

7.4.1.1 – 7.4.1.17.4.2

7.0.6.2 – 7.0.6.27.0.7

6.4.0.18 – 6.4.0.186.4.1

7.2.7 – 7.2.77.2.8

7.2.5.2 – 7.2.5.27.2.6

7.3.1.2 – 7.3.1.27.3.2

7.2.8 – 7.2.87.2.9

7.6.0 – 7.6.07.6.1

7.4.2 – 7.4.27.4.3

7.2.8.1 – 7.2.8.17.2.9

7.0.6.3 – 7.0.6.37.0.7

7.4.2.1 – 7.4.2.17.4.3

7.2.9 – 7.2.97.2.10

7.0.7 – 7.0.77.0.8

7.7.0 – 7.7.07.7.1

7.4.2.2 – 7.4.2.27.4.3

7.2.10 – 7.2.107.2.11

7.6.1 – 7.6.17.6.2

7.4.2.3 – 7.4.2.37.4.3

7.0.8 – 7.0.87.0.9

7.6.2 – 7.6.27.6.3

7.7.10 – 7.7.107.7.11

7.2.10.1 – 7.2.10.17.2.11

7.0.8.1 – 7.0.8.17.0.9

7.6.2.1 – 7.6.2.17.6.3

7.2.10.2 – 7.2.10.27.2.11

7.7.10.1 – 7.7.10.17.7.11

7.4.2.4 – 7.4.2.47.4.3

7.4.3 – 7.4.37.4.4

Weakness Classification (CWE)

CWE-269

Timeline

Reserved2025-10-08
Published2026-03-04
Modified2026-03-05
EPSS updated2026-03-23

Unpatched — 81 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-20044 is to upgrade the Cisco Secure Firewall Management Center (FMC) to a patched version. Cisco has released updates to address this vulnerability; refer to the official Cisco advisory for specific version details. If immediate patching is not possible due to compatibility concerns or testing requirements, consider implementing stricter access controls and limiting the number of users with administrative privileges. While not a direct fix, restricting access can reduce the attack surface. Monitor system logs for suspicious activity, particularly commands executed by users with elevated privileges. After upgrading, verify the fix by attempting to execute arbitrary commands through the system CLI while in lockdown mode; the commands should be rejected.

How to fix

Update the Cisco Secure Firewall Management Center (FMC) to a version that is not affected by this vulnerability. See the Cisco advisory for more details on the patched versions and upgrade instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-20044 — Command Injection in Cisco Secure Firewall FMC?

CVE-2026-20044 is a Command Injection vulnerability affecting Cisco Secure Firewall Management Center (FMC) versions 6.4.0–7.7.10.1, allowing authenticated attackers to execute commands as root.

Am I affected by CVE-2026-20044 in Cisco Secure Firewall FMC?

If you are running Cisco Secure Firewall Management Center versions 6.4.0 through 7.7.10.1, you are potentially affected by this vulnerability. Check your version and upgrade accordingly.

How do I fix CVE-2026-20044 in Cisco Secure Firewall FMC?

The recommended fix is to upgrade to a patched version of Cisco Secure Firewall Management Center. Refer to the official Cisco advisory for specific version details.

Is CVE-2026-20044 being actively exploited?

As of now, there are no publicly known active exploits for CVE-2026-20044, but the potential for root access warrants immediate attention and mitigation.

Where can I find the official Cisco advisory for CVE-2026-20044?

Please refer to the official Cisco Security Advisory for CVE-2026-20044 on the Cisco website (search for 'CVE-2026-20044 Cisco').

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Local — attacker needs a local shell or interactive session on the system.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: High — admin or privileged account required to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: None — no availability impact. Service remains fully operational.