Networking giant Cisco has released 25 joint security advisories covering security patches for 48 vulnerabilities in across its Secure Firewall Adaptive Security Appliance (ASA), Secure Firewall Management Center (FMC), and Secure Firewall Threat Defense (FTD) software products.

The security advisories were published on March 4 and are included in a bundled publication.

The most critical flaws, CVE-2026-20079 and CVE-2026-20131, have a maximum severity (CVSS) rating of 10. Both affect Cisco Secure FMC software.

CVE-2026-20079 is an authentication bypass vulnerability. Due to an improper system process that is created at boot time, an attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. If the exploit is successful, the attacker could execute a variety of scripts and commands that allow root access to the device.

CVE-2026-20131 is a remote code execution (RCE) vulnerability. Due to insecure deserialization of a user-supplied Java byte stream, an attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. If the exploit is successful, the attacker could execute arbitrary code on the device and elevate privileges to root.

There are no workarounds to mitigate either vulnerability. Cisco urged customers to upgrade to the fixed software indicated in the advisory.

The rest of the patched vulnerabilities are made of 15 high-severity flaws, with CVSS ratings from 7.2 to 8.6, and 31 medium-severity flaws, with CVSS ratings from 4.3 to 6.8.

Image credits: PJ McDonnell / Anucha Cheechang / Shutterstock