CVE-2026-20044 - Vulnerability Details

- Cisco Secure Firewall Management Center Command Injection Vulnerability

Description

A vulnerability in the lockdown mechanism of Cisco Secure Firewall Management Center (FMC) Software could allow an authenticated, local attacker to perform arbitrary commands as root.

This vulnerability is due to insufficient restrictions on remediation modules while in lockdown mode. An attacker could exploit this vulnerability by sending crafted input to the system CLI of the affected device. A successful exploit could allow the attacker to run arbitrary commands or code as root, even when the system is in lockdown mode. To exploit this vulnerability, the attacker must have valid administrative credentials.

Published: 2026-03-04

Score: 6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Based on the description, a flaw in the lockdown enforcement of Cisco Secure Firewall Management Center permits an authenticated local attacker with administrative rights to inject arbitrary commands via the system CLI, potentially executing code as root even while the firewall is in lockdown mode. This locally privileged command injection can compromise the entire device, allowing attackers to modify configuration, exfiltrate data, or pivot further within the network.

Affected Systems

Based on the advisory, the vulnerability affects all Cisco Secure Firewall Management Center (FMC) deployments. Since specific affected versions are not listed, all released FMC software should be considered at risk until a patch is applied.

Risk and Exploitability

The CVSS score of 6.0 denotes moderate severity, while the EPSS of less than 1 percent indicates a low likelihood of widespread exploitation at this time. Based on the description, the attacker must have valid administrative credentials and can run commands as root, which would have severe impact. The vulnerability is not listed in the CISA KEV catalog. Based on its local privilege escalation capability, it is inferred that organizations should treat it as high‑priority.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Cisco

Cisco Secure Firewall Management Center (FMC)

unknown

Version	Status	Constraints
`6.4.0.6`	affected	—
`6.4.0.7`	affected	—
`6.4.0.4`	affected	—
`6.4.0.1`	affected	—
`6.4.0.8`	affected	—
`6.4.0.2`	affected	—
`6.4.0.3`	affected	—
`6.4.0.5`	affected	—
`6.4.0`	affected	—
`6.4.0.9`	affected	—
`6.4.0.10`	affected	—
`6.4.0.11`	affected	—
`6.4.0.12`	affected	—
`7.0.0`	affected	—
`7.0.0.1`	affected	—
`7.0.1`	affected	—
`7.1.0`	affected	—
`6.4.0.13`	affected	—
`7.0.1.1`	affected	—
`6.4.0.14`	affected	—
`7.1.0.1`	affected	—
`7.0.2`	affected	—
`6.4.0.15`	affected	—
`7.2.0`	affected	—
`7.0.2.1`	affected	—
`7.0.3`	affected	—
`7.1.0.2`	affected	—
`7.2.0.1`	affected	—
`7.0.4`	affected	—
`7.2.1`	affected	—
`7.0.5`	affected	—
`6.4.0.16`	affected	—
`7.3.0`	affected	—
`7.2.2`	affected	—
`7.3.1`	affected	—
`7.2.3`	affected	—
`7.1.0.3`	affected	—
`7.2.3.1`	affected	—
`7.2.4`	affected	—
`7.0.6`	affected	—
`7.2.4.1`	affected	—
`7.2.5`	affected	—
`7.3.1.1`	affected	—
`7.4.0`	affected	—
`6.4.0.17`	affected	—
`7.0.6.1`	affected	—
`7.2.5.1`	affected	—
`7.4.1`	affected	—
`7.2.6`	affected	—
`7.4.1.1`	affected	—
`7.0.6.2`	affected	—
`6.4.0.18`	affected	—
`7.2.7`	affected	—
`7.2.5.2`	affected	—
`7.3.1.2`	affected	—
`7.2.8`	affected	—
`7.6.0`	affected	—
`7.4.2`	affected	—
`7.2.8.1`	affected	—
`7.0.6.3`	affected	—
`7.4.2.1`	affected	—
`7.2.9`	affected	—
`7.0.7`	affected	—
`7.7.0`	affected	—
`7.4.2.2`	affected	—
`7.2.10`	affected	—
`7.6.1`	affected	—
`7.4.2.3`	affected	—
`7.0.8`	affected	—
`7.6.2`	affected	—
`7.7.10`	affected	—
`7.2.10.1`	affected	—
`7.0.8.1`	affected	—
`7.6.2.1`	affected	—
`7.2.10.2`	affected	—
`7.7.10.1`	affected	—
`7.4.2.4`	affected	—
`7.4.3`	affected	—

No data.

Vendor Product Confidence Versions

Cisco

Secure Firewall Management Center

88%

Version	Status	Scheme	Platform
`6.4.0.6`	affected	generic	—
`6.4.0.7`	affected	generic	—
`6.4.0.4`	affected	generic	—
`6.4.0.1`	affected	generic	—
`6.4.0.8`	affected	generic	—
`6.4.0.2`	affected	generic	—
`6.4.0.3`	affected	generic	—
`6.4.0.5`	affected	generic	—
`6.4.0`	affected	semver	—
`6.4.0.9`	affected	generic	—
`6.4.0.10`	affected	generic	—
`6.4.0.11`	affected	generic	—
`6.4.0.12`	affected	generic	—
`7.0.0`	affected	semver	—
`7.0.0.1`	affected	generic	—
`7.0.1`	affected	semver	—
`7.1.0`	affected	semver	—
`6.4.0.13`	affected	generic	—
`7.0.1.1`	affected	generic	—
`6.4.0.14`	affected	generic	—
`7.1.0.1`	affected	generic	—
`7.0.2`	affected	semver	—
`6.4.0.15`	affected	generic	—
`7.2.0`	affected	semver	—
`7.0.2.1`	affected	generic	—
`7.0.3`	affected	semver	—
`7.1.0.2`	affected	generic	—
`7.2.0.1`	affected	generic	—
`7.0.4`	affected	semver	—
`7.2.1`	affected	semver	—
`7.0.5`	affected	semver	—
`6.4.0.16`	affected	generic	—
`7.3.0`	affected	semver	—
`7.2.2`	affected	semver	—
`7.3.1`	affected	semver	—
`7.2.3`	affected	semver	—
`7.1.0.3`	affected	generic	—
`7.2.3.1`	affected	generic	—
`7.2.4`	affected	semver	—
`7.0.6`	affected	semver	—
`7.2.4.1`	affected	generic	—
`7.2.5`	affected	semver	—
`7.3.1.1`	affected	generic	—
`7.4.0`	affected	semver	—
`6.4.0.17`	affected	generic	—
`7.0.6.1`	affected	generic	—
`7.2.5.1`	affected	generic	—
`7.4.1`	affected	semver	—
`7.2.6`	affected	semver	—
`7.4.1.1`	affected	generic	—
`7.0.6.2`	affected	generic	—
`6.4.0.18`	affected	generic	—
`7.2.7`	affected	semver	—
`7.2.5.2`	affected	generic	—
`7.3.1.2`	affected	generic	—
`7.2.8`	affected	semver	—
`7.6.0`	affected	semver	—
`7.4.2`	affected	semver	—
`7.2.8.1`	affected	generic	—
`7.0.6.3`	affected	generic	—
`7.4.2.1`	affected	generic	—
`7.2.9`	affected	semver	—
`7.0.7`	affected	semver	—
`7.7.0`	affected	semver	—
`7.4.2.2`	affected	generic	—
`7.2.10`	affected	semver	—
`7.6.1`	affected	semver	—
`7.4.2.3`	affected	generic	—
`7.0.8`	affected	semver	—
`7.6.2`	affected	semver	—
`7.7.10`	affected	semver	—
`7.2.10.1`	affected	generic	—
`7.0.8.1`	affected	generic	—
`7.6.2.1`	affected	generic	—
`7.2.10.2`	affected	generic	—
`7.7.10.1`	affected	generic	—
`7.4.2.4`	affected	generic	—
`7.4.3`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest Cisco Secure Firewall Management Center firmware that addresses the command injection flaw, as outlined in the Cisco security advisory.
Restrict local administrative privileges by disabling or minimizing privileged accounts, and enforce the principle of least privilege for users who can access the FMC CLI.
Enable network segmentation and monitor FMC logs for abnormal command execution patterns or unauthorized access attempts.

Generated by OpenCVE AI on April 17, 2026 at 13:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00005.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inject-S9ZM4EJf

History

Thu, 05 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 05 Mar 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cisco Cisco secure Firewall Management Center
Vendors & Products		Cisco Cisco secure Firewall Management Center

Wed, 04 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the lockdown mechanism of Cisco Secure Firewall Management Center (FMC) Software could allow an authenticated, local attacker to perform arbitrary commands as root. This vulnerability is due to insufficient restrictions on remediation modules while in lockdown mode. An attacker could exploit this vulnerability by sending crafted input to the system CLI of the affected device. A successful exploit could allow the attacker to run arbitrary commands or code as root, even when the system is in lockdown mode. To exploit this vulnerability, the attacker must have valid administrative credentials.
Title		Cisco Secure Firewall Management Center Command Injection Vulnerability
Weaknesses		CWE-269
References		https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-cmd-inject-S9ZM4EJf
Metrics		cvssV3_1 `{'score': 6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Cisco Secure Firewall Management Center

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-03-04T17:17:41.169Z

Updated: 2026-03-05T14:05:46.010Z

Reserved: 2025-10-08T11:59:15.354Z

Link: CVE-2026-20044

Vulnrichment

Updated: 2026-03-05T14:05:43.244Z

NVD

Status : Awaiting Analysis

Published: 2026-03-04T18:16:17.580

Modified: 2026-03-05T19:39:11.967

Link: CVE-2026-20044

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses

CWE-269

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object