MDR
Solutions
Partners
About
Resources
Affected Environment
Cisco Secure Firewall FMC, ASA, FTD, FMC-managed Snort, Webex, ClamAV, IOS XE, Cyber Vision, Meraki MX, and Catalyst SD-WAN controllers.
Exposure depends on product type, enabled VPN, Snort, OSPF, SSH, SAML, SSL decryption and deployment (on‑prem or Cisco‑hosted SD‑WAN).
Threat Overview
Vulnerabilities include authentication bypass, remote code execution, SQL and command injection, path traversal, XSS, ACL bypass and multiple DoS.
Successful exploitation can grant root or admin access, bypass policy, disrupt VPN and inspection, or interrupt core firewall and SD‑WAN services.
Exposure Timeline
Cisco advisories and this report are dated 4–5 March 2026; most issues have fixed releases available from Cisco.
Authentication bypass in Catalyst SD‑WAN has observed exploitation in the wild, so exposure exists until upgrades or mitigations are applied.
Attack Surface
Primary exposure is internet‑facing FMC, ASA, FTD, VPN portals, SD‑WAN controllers and Webex, reachable by unauthenticated attackers.
Additional risk exists from authenticated local or API users with admin‑level roles, as well as adjacent OSPF peers and configured IKEv2/IPsec endpoints.
Technical Root Cause
Root causes include improper boot‑time processes, insecure Java deserialization, SQL injection flaws, weak input validation and CLI privilege issues.
Snort 3 engine defects, SSL/TLS handling errors, SSH key handling, SAML SSO logic, OSPF processing bugs and file path handling also contribute.
Exploitation Pathway
Remote attackers send crafted HTTP/HTTPS, VPN, SSH, IKEv2/IPsec or SD‑WAN peering traffic to trigger auth bypass, code execution or DoS.
Authenticated users exploit FMC, ASA or FTD web/CLI flaws to run commands as root, access other contexts, or modify files on underlying systems.
Operational Impact
Devices may reload or stop responding, causing VPN outages, firewall disruption, blocked or dropped traffic, and loss of packet inspection.
Inspection bypass, ACL bypass and SSL policy issues can allow traffic that should be denied, reducing visibility into threats crossing the network.
Strategic Impact
Compromise of FMC, ASA/FTD or SD‑WAN controllers could provide broad control over network policy and segmentation to an attacker.
Auth bypass and rule‑evasion issues directly affect trust in perimeter and SD‑WAN controls, impacting overall security posture and compliance.
Required Mitigation
Identify in‑scope Cisco products and versions, then apply Cisco’s fixed software releases after testing, prioritising 10.0‑score and exploited issues.
Where patches are not yet applied, use Cisco’s documented mitigations (e.g., restrict SD‑WAN management ports, disable affected features) as interim steps.
Incident Response Guidance
Check for signs of controller or firewall compromise, unexpected reloads, unexplained VPN failures, or unusual admin actions on FMC/ASA/FTD.
If compromise is suspected, isolate affected systems, rotate credentials and keys, review configuration changes, and apply patches before returning to service.
References
Use Cisco security advisory links in this report for product‑specific impact, fixed versions, and any configuration guidance or workarounds.
Track the listed CVEs (e.g., CVE‑2026‑20079, CVE‑2026‑20127) in your vulnerability management tools to ensure remediation and ongoing monitoring.
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)