Cisco fixed several high‑severity flaws in its enterprise products, including SSRF bugs in Unity Connection that could enable code execution or service disruption.

Cisco released patches for multiple high‑severity vulnerabilities affecting its enterprise products. Successful exploitation could allow code execution, server‑side request forgery (SSRF), or denial‑of‑service attacks. Two notable flaws, CVE‑2026‑20034 and CVE‑2026‑20035, impact Cisco Unity Connection. Attackers can exploit them to trigger SSRF attacks.

“Multiple vulnerabilities in Cisco Unity Connection could allow a remote attacker to execute arbitrary code on or conduct server-side request forgery (SSRF) attacks through an affected device.” reads the advisory published by Cisco.

CVE‑2026‑20034 is a flaw in Cisco Unity Connection that allows an authenticated remote attacker to run arbitrary root‑level code on the device. The issue stems from improper validation of user input, letting an attacker send a crafted API request to fully compromise the system. Cisco has released fixes, and no workarounds exist.

“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request.” reads the advisory. “A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device.”

CVE-2026-20035 flaw in Cisco Unity Connection Web Inbox UI allows an unauthenticated remote attacker to perform SSRF attacks. The issue comes from improper validation of certain HTTP requests. By sending a crafted request, an attacker could make the device send arbitrary network traffic on their behalf, potentially accessing internal services.

“A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device.” reads the advisory.

“This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device.”

Below are the impacted releases:

Cisco Unity Connection Release	First Fixed Release
12.5 and earlier	Migrate to a fixed release.
14.0	14SU5
15.0	15SU4 or apply patch file:1 ciscocm.cuc.V15_CSCwq36774-CSCwq36834_C0277-1.zip

Cisco PSIRT said it is not aware of any public reports or active malicious exploitation of these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Unity Connection)

The post Cisco Unity Connection Flaws Enable Full System Takeover appeared first on Daily CyberSecurity.

The post Cisco CNC and NSO Flaw Allows Remote Attackers to Lock Down Network Management appeared first on Daily CyberSecurity.

Networking and security leader Cisco has announced its intent to acquire Astrix Security, a pioneer in Non-Human Identity (NHI) management. Announced in May 2026, this acquisition is designed to help enterprises secure the rapidly expanding “agentic workforce”, the growing ecosystem of autonomous AI agents that operate alongside human employees. As organizations integrate AI into their […]

The post Cisco Acquisition of Astrix Security Signals to Strengthen on Non-Human Identity Security appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Artificial intelligence models are integrated into countless enterprise applications, but knowing exactly where these models come from remains a major security hurdle. Cisco recently launched the Model Provenance Kit, an open-source tool for tracing the exact lineage of AI models. This release aims to bring transparency to complex AI supply chains and help organizations meet […]

The post Cisco Launches AI Provenance Tool to Strengthen Security and Compliance appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Cisco’s open-source Model Provenance Kit helps organizations verify AI model origins, trace lineage, and reduce AI supply chain security risks.

The post Cisco Introduces Model Provenance Kit to Strengthen AI Supply Chain Security appeared first on TechRepublic.

CISA and NCSC warn that FIRESTARTER, a Linux-based backdoor, targets Cisco Firepower devices, evades patches, and enables persistent access even after firmware updates.

State-sponsored threat actors are actively targeting Cisco Firepower devices by chaining known vulnerabilities to deploy a highly customized backdoor.

Cisco Talos recently discovered that the espionage-focused threat group UAT-4356 is exploiting two n-day vulnerabilities, tracked as CVE-2025-20333 and CVE-2025-20362, to infiltrate Firepower Extensible Operating System (FXOS) environments.

UAT-4356 previously orchestrated the ArcaneDoor campaign, which successfully targeted network perimeter devices to conduct widespread espionage.

In this latest campaign, attackers leverage their initial access to install “FIRESTARTER,” an advanced implant that grants unauthorized remote control over compromised networks.

The FIRESTARTER backdoor embeds itself deep within the core components of Cisco’s ASA and FTD appliances. The malware specifically targets the LINA process, allowing attackers to execute arbitrary shellcode directly in the device’s memory.

Malicious Payload Execution

To establish a foothold, UAT-4356 manipulates the device’s boot sequence by altering the Cisco Service Platform mount list. Interestingly, this persistence mechanism remains entirely transient and only triggers during a graceful reboot.

When the device processes a standard termination signal, FIRESTARTER copies itself to a backup log file. It updates the mount list to guarantee re-execution.

Once the malicious payload restarts, it cleans up its tracks by restoring the original mount list and deleting temporary files.

Because the malware heavily relies on runlevel states, administrators can completely eradicate the implant by performing a hard reboot, such as physically disconnecting the hardware from its power source.

During the infection phase, FIRESTARTER meticulously scans the LINA process’s memory for specific byte markers and an executable memory range associated with the shared library framework.

After locating the appropriate environment, the malware copies its secondary shellcode into memory and overwrites a legitimate internal data structure.

This process successfully replaces a standard WebVPN XML handler function with the attacker’s malicious routine. FIRESTARTER then actively intercepts incoming WebVPN requests.

If an incoming request matches a specific custom prefix, the malware immediately executes the attached shellcode. If the data lacks the required prefix, FIRESTARTER quietly forwards the request to the original handler to evade suspicion.

Analysts note that this sophisticated loading mechanism shares substantial technical overlap with RayInitiator’s deployment tactics.

Detection and Mitigation

Security teams should proactively hunt for FIRESTARTER infections, as Cisco Talos Intelligence advises checking for artifact files and unusual processes to prevent further espionage activity.

Organizations should take the following steps to secure their infrastructure:

• Search for the malicious background process or the temporary core log file hiding on the disk.
• Reimage all affected devices to clear the FIRESTARTER infection from the system architecture definitively.
• Kill the compromised process and reload the system on FTD software operating outside of lockdown mode.
• Apply critical software upgrades recommended in Cisco’s Security Advisory and CISA Emergency Directive 25-03.
• Deploy Snort rules 65340 and 46897 to detect vulnerability exploitation, and rule 62949 to flag backdoor activity.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Exploiting Cisco Firepower Devices’ Using n-day Vulnerabilities to Gain Unauthorized Access appeared first on Cyber Security News.

CISA said a federal Cisco Firepower ASA device was infected with the FIRESTARTER backdoor in Sept 2025, and it survived security patches.

CISA revealed that a U.S. federal civilian agency’s Cisco Firepower device running ASA software was compromised in September 2025 by the FIRESTARTER backdoor. The malware reportedly persisted even after security patches were applied, showing strong stealth and resilience against detection and remediation efforts.

FIRESTARTER is a backdoor identified by CISA and the UK NCSC, used for remote access and control in a likely APT campaign targeting Cisco ASA devices. It exploits now-patched flaws including CVE-2025-20333, which allowed remote code execution with VPN credentials, and CVE-2025-20362, which enabled unauthenticated access to restricted endpoints via crafted HTTP requests.

“The Cybersecurity and Infrastructure Security Agency (CISA) analyzed a sample of FIRESTARTER malware obtained from a forensic investigation. CISA and the United Kingdom National Cyber Security Centre (NCSC) assess that FIRESTARTER—a backdoor that allows remote access and control—is part of a widespread campaign that afforded an advanced persistent threat (APT) actor initial access to Cisco Adaptive Security Appliance (ASA) firmware by exploiting CVE-2025-20333 [CWE-862: Missing Authorization] and/or CVE-2025-20362 [CWE-120: Classic Buffer Overflow].” reads the report published by CISA.

CISA and the NCSC warn that FIRESTARTER can persist on Cisco ASA or Firepower Threat Defense systems even after patching, allowing attackers to regain access without re-exploiting vulnerabilities. U.S. federal agencies must follow CISA Emergency Directive 25-03. Organizations are urged to use provided YARA rules to detect the malware in disk images or core dumps and report any findings to CISA or the NCSC.

CISA detected suspicious activity on a U.S. federal Cisco Firepower ASA device through continuous monitoring. After validation and forensic analysis, it found a malware sample named FIRESTARTER. Attackers had initially used LINE VIPER for post-exploitation, then deployed FIRESTARTER to maintain persistence.

“In this incident, APT actors initially deployed LINE VIPER as a post-exploitation implant and subsequently used FIRESTARTER as a persistence mechanism to maintain continued access to the compromised device.” continues the alert. “Although Cisco’s patches addressed CVE-2025-20333 and CVE-2025-20362, devices compromised prior to patching may remain vulnerable because FIRESTARTER is not removed by firmware updates.”

FIRESTARTER is a Linux ELF malware targeting Cisco Firepower and Secure Firewall devices, acting as a command-and-control backdoor for remote access. It maintains persistence by intercepting termination signals and automatically relaunching, allowing it to survive reboots and even firmware updates unless a full power cycle is performed.

The malware embeds itself in the LINA network processing engine by installing a hook that intercepts normal XML handling functions. This enables execution of attacker-supplied shellcode and deployment of additional payloads like LINE VIPER.

“FIRESTARTER attempts to install a hook—a way to intercept and modify normal operations—within LINA, the device’s core engine for network processing and security functions.” states CISA. “This hook enables the execution of arbitrary shell code provided by the APT actors, including the deployment of LINE VIPER.”

Upon execution, FIRESTARTER loads itself from disk into memory, registers handlers for multiple termination signals, and performs cleanup and self-reinstallation routines. It manipulates system files to restore modified components, deletes traces, and re-establishes itself under a new persistent path.

For persistence, it writes itself into reboot-persistent log locations and recreates missing configuration files used for execution. It then appends scripts that move the malware binary into system directories, makes it executable, and runs it in the background while suppressing errors.

The malware also scans LINA memory to locate key structures, injects shellcode into shared libraries like libstdc++, and installs detours for XML handlers. It only activates payload execution after verifying victim-specific identifiers embedded in WebVPN traffic, ensuring targeted deployment.

CISA and the NCSC urge organizations to follow baseline cybersecurity practices aligned with CPG 2.0, including rapid patching of known vulnerabilities, though current fixes may not remove FIRESTARTER persistence. They recommend inventorying network edge devices, especially Cisco systems, and monitoring for suspicious activity. Organizations should audit privileged accounts, enforce least privilege, rotate passwords regularly, and modernize access controls using secure protocols like TACACS+ over TLS 1.3 to reduce credential exposure and improve detection.

“We recommend that Cisco customers follow the steps recommended in Cisco’s advisory, with particular attention to any applicable software upgrade recommendations. Organizations impacted can initiate a TAC request for Cisco support.” reads the report published by Cisco Talos. “A FIRESTARTER infection may be mitigated on all affected devices by reimaging the devices. On Cisco FTD software that is not in lockdown mode, there is also the option of killing the lina_cs process then reloading the device:”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FIRESTARTER backdoor)

The post Arcane Door Reopened: The Cisco Firepower Backdoor That Only a Hard Reboot Can Kill appeared first on Daily CyberSecurity.

CISA has added three critical Cisco Catalyst SD-WAN Manager vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies and organizations to act immediately.

All three flaws were added on April 20, 2026, with a tight remediation deadline of April 23, 2026.

The three vulnerabilities affect Cisco Catalyst SD-WAN Manager, a widely used platform for managing enterprise SD-WAN infrastructure.
Here’s a breakdown:

• CVE-2026-20133 (CWE-200 – Sensitive Information Exposure): This flaw allows remote, unauthenticated attackers to view sensitive information on affected systems.
  
  No login is required to exploit this vulnerability, making it particularly dangerous for internet-exposed deployments.
  
• CVE-2026-20122 (CWE-648 – Incorrect Use of Privileged APIs): Caused by improper handling of files on the API interface, this vulnerability allows an attacker to upload a malicious file to the local file system.
  
  A successful exploit grants the attacker vmanage user privileges, enabling deep access and control over the SD-WAN environment.
  
• CVE-2026-20128 (CWE-257 – Passwords Stored in Recoverable Format): An authenticated local attacker can exploit this flaw by accessing a credential file stored in a recoverable format on the filesystem.
  
  This allows privilege escalation to the DCA user level, even from a low-privileged account.

SD-WAN managers sit at the heart of enterprise network infrastructure, controlling routing, policies, and device configurations across distributed locations.

Compromising this platform can give attackers broad lateral movement capabilities, enabling them to pivot across the entire network.

While ransomware involvement is currently listed as “unknown,” the exploitation of SD-WAN management platforms has historically preceded large-scale network intrusions.

CISA has issued Emergency Directive 26-03, along with dedicated Hunt & Hardening Guidance for Cisco SD-WAN Devices, underscoring the threat’s severity.

Organizations that cannot apply mitigations are directed to discontinue use of the product per BOD 22-01 guidance for cloud services.

Recommended Actions

• Apply all available patches and security updates from Cisco immediately.
• Review CISA’s Emergency Directive 26-03 for specific exposure assessment steps.
• Follow CISA’s Hunt & Hardening Guidance to detect signs of compromise.
• Restrict API access and audit local file system permissions on affected systems.
• Monitor for unusual privilege escalation or unauthorized file uploads.

With the due date set for April 23, 2026, Federal Civilian Executive Branch (FCEB) agencies have virtually no time to delay.

Private sector organizations managing Cisco SD-WAN deployments should treat this advisory with equal urgency, as active exploitation in the wild makes these vulnerabilities an immediate risk to network integrity.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of Cisco Catalyst SD-WAN Manager Vulnerabilities Exploited in Attacks appeared first on Cyber Security News.

Cisco has released security updates to fix multiple vulnerabilities in its Identity Services Engine and Webex Services, warning that successful exploitation could lead to remote code execution, root-level access, and user impersonation. The Cisco ISE vulnerabilities affect widely used enterprise authentication and collaboration systems, making patching a priority for organizations. The Cisco ISE vulnerabilities and the Webex Services flaw have not been observed in active exploitation so far. However, the company has urged customers to update affected systems immediately to reduce risk exposure.

Critical Cisco ISE Vulnerabilities Enable Remote Code Execution

The most severe issues impact Cisco Identity Services Engine (ISE) and its Passive Identity Connector (ISE-PIC). These Cisco ISE vulnerabilities stem from insufficient validation of user-supplied input, a flaw that allows attackers to send specially crafted HTTP requests to targeted systems. Among them, CVE-2026-20147 carries a CVSS score of 9.9 and allows an authenticated attacker with administrative credentials to execute arbitrary commands on the underlying operating system. According to Cisco, this could enable attackers to gain user-level access and then escalate privileges to root. Two additional vulnerabilities, CVE-2026-20180 and CVE-2026-20186, also rated 9.9, allow attackers with read-only administrative access to execute arbitrary commands. These Cisco ISE vulnerabilities highlight how even limited privileges can be leveraged for deeper system compromise. Cisco noted that exploitation in single-node deployments could disrupt services entirely, potentially leading to a denial-of-service condition where new endpoints cannot authenticate to the network.

Webex Services Flaw Risks User Impersonation

Alongside the Cisco ISE vulnerabilities, a critical issue has been identified in Cisco Webex Services. Tracked as CVE-2026-20184 with a CVSS score of 9.8, the flaw affects single sign-on integration with Control Hub. This vulnerability is caused by improper certificate validation and could allow an unauthenticated remote attacker to impersonate any user within the service. Successful exploitation could result in unauthorized access to legitimate Webex accounts, raising concerns for enterprises relying on the platform for communication and collaboration.

Affected Versions and Exposure

The Cisco ISE vulnerabilities impact multiple versions of the platform. All Cisco ISE versions 3.5 and earlier are affected by CVE-2026-20147, while versions 3.4 and earlier are vulnerable to CVE-2026-20180 and CVE-2026-20186. Cisco ISE-PIC systems are also impacted regardless of configuration. For Webex Services, the vulnerability affects deployments using SSO integration with Control Hub. Cisco emphasized that the vulnerabilities are independent of each other, meaning exploitation of one does not require another. Some versions may be affected by specific flaws while not impacted by others.

No Workarounds Available, Patching is Essential

Cisco has confirmed that there are no workarounds to mitigate these vulnerabilities. Organizations must apply the available software updates to fully address the risks. Fixed releases have been issued across supported versions. For example, patches include ISE 3.1 Patch 11, 3.2 Patch 10, 3.3 Patch 11, 3.4 Patch 6, and 3.5 Patch 3. Systems running versions earlier than 3.1 are advised to migrate to a supported release. Security teams are also advised to review system configurations and ensure that upgrade prerequisites such as hardware compatibility and memory requirements are met before deployment.

No Active Exploitation Reported But Risk Remains High

The Cisco Product Security Incident Response Team has stated that it is not aware of any public exploitation or malicious use of these vulnerabilities at the time of disclosure. The issues were reported by Jonathan Lein of TrendAI Research. Despite the lack of active attacks, the severity of the Cisco ISE vulnerabilities and the Webex flaw places them in a high-risk category. Vulnerabilities that allow remote code execution or user impersonation are often targeted quickly once technical details become public.

Security Implications for Enterprises

The Cisco ISE vulnerabilities are particularly significant because ISE plays a central role in network access control, authentication, and policy enforcement. A compromise could provide attackers with deep visibility and control over enterprise networks. Similarly, the Webex vulnerability introduces risks to identity and access management, especially in environments that rely on SSO for centralized authentication. Organizations using affected products are advised to prioritize patching, restrict administrative access where possible, and monitor systems for suspicious activity. Cisco has made detailed advisories and upgrade guidance available through its security portal, and customers are encouraged to follow official recommendations to secure their environments.

Cisco fixed four critical flaws in Identity Services and Webex that could allow code execution and user impersonation.

Cisco has addressed four critical vulnerabilities affecting its Identity Services and Webex platforms. The flaws could allow attackers to execute arbitrary code and impersonate any user within the affected services. The issues pose serious security risks, prompting urgent updates to protect systems and prevent potential exploitation.

Below are the descriptions of the flaws:

• CVE-2026-20184 (CVSS 9.8): An improper certificate validation issue in Webex SSO integration with Control Hub could allow an unauthenticated remote attacker to impersonate any user and gain unauthorized access to Webex services.
• CVE-2026-20147 (CVSS 9.9): An input validation flaw in Identity Services Engine (ISE) and ISE-PIC could let an authenticated attacker with admin credentials execute remote code via crafted HTTP requests.
• CVE-2026-20180 / CVE-2026-20186 (CVSS 9.9): Input validation issues in ISE could allow attackers with read-only admin access to execute arbitrary OS commands using crafted HTTP requests.

Cisco says it has no evidence of public disclosure or active exploitation of these vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)

31 high-impact vulnerabilities were actively exploited in March 2026, with a Cisco firewall zero-day abused by the Interlock ransomware group emerging as one of the most dangerous threats to enterprise networks. Affected vendors span core enterprise and developer ecosystems, including Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, […]

The post Cisco FMC Zero-Day Among 31 High-Impact Vulnerabilities Exploited in March appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Cisco fixed critical flaws that could allow attackers to bypass authentication, run code, and gain access to sensitive data.

Cisco released patches for two critical and six high-severity vulnerabilities. These flaws could let attackers bypass authentication, execute malicious code, escalate privileges, and access sensitive information.

One of these critical flaws is CVE-2026-20093 (CVSS score of 9.8), a flaw in Cisco IMC that lets a remote attacker bypass authentication via a crafted HTTP request. An attacker could change user passwords, including admin, and gain full system access.

Cisco Integrated Management Controller (IMC) is a built-in management system used on Cisco servers. IMC lets administrators control and monitor a server remotely, even if the operating system is off or not working.

Cisco also patched a critical SSM On-Prem flaw, tracked as CVE-2026-20160 (CVSS score of 9.8) that allowed unauthenticated attackers to run commands on the host OS with root privileges via a crafted API request.

Cisco’s PSIRT is not aware of exploits or proof-of-concept code for these vulnerabilities, however the networking giant strongly advises customers to update to the patched software.

In March, the company fixed a critical RCE zero-day, tracked as CVE-2026-20131 (CVSS score of 10.0), in Secure Firewall FMC, exploited by Interlock ransomware. US CISA ordered federal agencies to patch within three days. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CIMC)

ShinyHunters hackers claim they stole 3 million+ Cisco records via Salesforce and AWS, warning of a public leak if demands are not met by April 3, 2026.

Cisco has issued an urgent security warning regarding a critical vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) platform.

Enterprise organizations widely use this tool to manage their Cisco software licenses locally. Tracked as CVE-2026-20160, the flaw carries a near-perfect CVSS severity score of 9.8 out of 10. If exploited, it allows an unauthenticated, remote attacker to take complete control of the affected system.

Cisco Smart Software Manager Vulnerability

The core of the problem stems from an internal system service that was accidentally left exposed. Because of this oversight, attackers do not need a username, password, or any prior authorized access to the network to exploit the machine.

To trigger the vulnerability, a hacker needs to send a specially crafted request to the application programming interface (API) of this exposed service.

 If the attack is successful, the threat actor can execute arbitrary commands on the underlying operating system. Worse yet, these commands run with root-level privileges.

This means the attacker gains absolute administrative control over the host, allowing them to steal sensitive data, install ransomware, or pivot to other protected areas of the corporate network.

This bug specifically impacts Cisco SSM On-Prem environments. However, not all versions are at risk.

Organizations only need to worry if they are running specific software releases published during the previous year.

Here is the breakdown of the software versions:

• Vulnerable: Releases from 9-202502 up to 9-202510.
• Safe: Any older release (before 9-202502) is naturally immune to the flaw.
• Fixed: The newly released version 9-202601 contains the official patch.

Cisco also confirmed that this issue does not affect the Smart Licensing Utility or the Smart Software Manager satellite products. If your organization is running a vulnerable version, immediate action is required.

Current Exploitation Status

Cisco has stated clearly that there are no workarounds or temporary mitigations available to block this attack.

The only way to secure your network is to upgrade your SSM On-Prem software to the fixed release (9-202601) as soon as possible.

 Before upgrading, IT teams should verify that their devices meet the memory and hardware requirements for the new release.

Cisco’s Product Security Incident Response Team (PSIRT) noted that there are currently no known public exploits or malicious campaigns exploiting this bug.

The vulnerability was actually discovered internally while a Cisco Technical Assistance Center (TAC) team was helping a customer resolve an unrelated support case.

However, because the details of CVE-2026-20160 are now public, cybercriminals will likely begin reverse-engineering the patch and scanning the internet for vulnerable systems.

Security teams should treat this upgrade as a top priority to prevent a potential network compromise.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Cisco Smart Software Manager Vulnerability Let Attackers Execute Arbitrary Commands appeared first on Cyber Security News.

Cisco has released an urgent security advisory addressing a critical vulnerability in its Secure Firewall Management Center (FMC) software.

This severe flaw allows unauthenticated remote attackers to execute arbitrary code with full root privileges. CVE-2026-20131 is a critical vulnerability with a CVSS score of 10.0, stemming from insecure deserialization (CWE-502) and is exploitable remotely without requiring any privileges.

The security flaw resides in the web-based management interface of Cisco Secure FMC. The insecure deserialization of a user-supplied Java byte stream directly causes it.

An attacker can exploit this weakness by simply sending a specially crafted serialized Java object to the vulnerable web interface.

If the exploitation is successful, the attacker can execute arbitrary Java code directly on the targeted device. This action allows the malicious actor to elevate their system privileges to full root access.

Gaining root access to a core management system is highly dangerous, allowing attackers to alter security controls, disable defenses, and maintain a persistent foothold for deeper network attacks.

This critical vulnerability was initially discovered during internal security testing conducted by Keane O’Kelley from the Cisco Advanced Security Initiatives Group.

However, the situation has recently escalated. Cisco updated its official advisory to confirm that its Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this flaw in the wild during March 2026.

Because this attack requires no user interaction and no prior authentication, systems with public-facing management interfaces face an extreme level of risk.

Cisco strongly advises that restricting the FMC management interface from public internet access will significantly reduce the exposed attack surface. However, it does not replace the immediate need for proper patching.

Mitigations

The vulnerability affects Cisco Secure FMC Software and the Cisco Security Cloud Control (SCC) Firewall Management platform, regardless of device configuration.

It is important to note that Cisco has confirmed the Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software lines are safe and not vulnerable to this specific issue.​

For the SaaS-delivered SCC Firewall Management environments, Cisco has already deployed the necessary security fixes during routine maintenance, meaning no additional action is required for those cloud customers.

However, for on-premises deployments, there are absolutely no temporary workarounds available to mitigate this threat. Organizations must immediately apply the official security updates provided by Cisco.

Administrators are urged to use the Cisco Software Checker tool to verify their exact software versions and upgrade their vulnerable systems without delay.

The post Cisco Secure Firewall Vulnerability Allows Remote Code Execution as Root User appeared first on Cyber Security News.

Cisco today at the RSA Conference (RSAC) extended its cybersecurity portfolio to secure artificial intelligence (AI) agents while at the same time employing AI to automate security operations. At the core of that effort are extensions to the Cisco Duo identity and access management (IAM) platform that make it possible to discover them and apply..

The post Cisco Extends Security Reach to AI Agents appeared first on Security Boulevard.

This week on the Lock and Code podcast…

Forget the runaway train thrillingly shot in Buster Keaton’s 1926 film “The General,” and never mind the charging locomotive rescued by actors Denzel Washington and Chris Pine in the 2010 film “Unstoppable,” as there’s a far more frequent (and far less heart-pounding) railcar drama happening across California’s Bay Area: The repeated breakdown of the Bay Area Rapid Transit (BART) system, all because of a few networking errors.

Opened in 1972, BART today carries about 175,000 people every weekday on five separate lines to 50 different stations placed across dozens of cities in the Bay Area, including San Francisco, Oakland, Berkeley, Daly City, Fremont, Richmond, and more. Its tracks and railcars travel both above ground and below, and it is one of the only public transit systems in the US that goes underwater—traveling through what is called the TransBay tube. It is likely the region’s largest public project, spanning 131 miles of track, with a fleet of more than 700 cars, proving vital to workers and residents everywhere, and on May 9, 2025, it all came grinding to a halt, due to what BART officials called a “computer networking problem.”

At the Glen Park station in San Francisco, would-be travelers found yellow caution tape at the entry gates. At the El Cerrito Plaza station, BART staff and police informed visitors that the system was down. And at the Rockridge station in Oakland, a reporter for The San Francisco Chronicle witnessed a small group of people sprinting up the stairs to try and catch a train that never came.

It was the kind of meltdown for public infrastructure that puts an entire system in peril.

And it happened again just months later.

In September, a network crash brought BART to a halt, repeating almost the exact same frustrations and delays for travelers left without transportation to work.

That’s the end of it, right? Wrong. In February 2026, another computer failure caused another outage.

So, in one of the wealthiest regions in America, the subway doesn’t always run, its network is prone to crash, and any money for technology often goes elsewhere. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with San Francisco Chronicle transportation reporter Rachel Swan about what the BART outages revealed about the state of the system’s aging technology, why public infrastructure so often struggles to modernize, and what exactly went wrong in the three prior outages.

“One piece of equipment—and again, this is old equipment—one piece breaks down and they completely lose visibility, so they don’t know where any of the trains are.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

---

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.