CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical RADIUS Authentication Flaw in Cisco Secure Firewall Management Center

First reported
Last updated
4 unique sources, 5 articles

Summary

Hide ▲

Cisco has disclosed and patched multiple critical vulnerabilities across its product portfolio, including a newly identified Integrated Management Controller (IMC) authentication bypass flaw (CVE-2026-20093) that allows unauthenticated attackers to gain Admin access to unpatched systems. Additionally, Cisco addressed a critical remote code execution (RCE) vulnerability in its Smart Software Manager On-Prem (SSM On-Prem) (CVE-2026-20160) that enables attackers to execute commands with root-level privileges. Earlier in March 2026, Cisco released security updates for two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: an authentication bypass flaw (CVE-2026-20079) granting root access and an RCE vulnerability (CVE-2026-20131) allowing arbitrary Java code execution. Notably, the Interlock ransomware gang exploited CVE-2026-20131 in zero-day attacks, prompting CISA to add it to its catalog of exploited vulnerabilities and mandate federal agencies to remediate within three days. Cisco also published a bundled set of 25 security advisories addressing 48 vulnerabilities across multiple enterprise networking products, including high-severity issues in ASA Firewall, Secure FMC, and Secure FTD appliances.

Timeline

  1. 02.04.2026 14:01 1 articles · 23h ago

    Cisco patches Integrated Management Controller authentication bypass flaw CVE-2026-20093

    Cisco disclosed and patched CVE-2026-20093, an authentication bypass vulnerability in the Integrated Management Controller (IMC) password change functionality. The flaw allows unauthenticated attackers to bypass authentication via crafted HTTP requests, alter user passwords (including Admin), and gain Admin access to unpatched systems. Cisco PSIRT has not observed in-the-wild exploitation or public PoC code and strongly recommends immediate patching due to no available workarounds.

    Show sources
    Open in new tab
  2. 02.04.2026 14:01 1 articles · 23h ago

    Cisco patches critical Smart Software Manager On-Prem remote code execution flaw CVE-2026-20160

    Cisco addressed CVE-2026-20160, a critical remote code execution vulnerability in Smart Software Manager On-Prem (SSM On-Prem). Attackers can exploit this flaw by sending crafted API requests to execute commands on the underlying operating system with root-level privileges. Cisco PSIRT has not detected active exploitation or PoC code and advises immediate patching as no workarounds exist.

    Show sources
    Open in new tab
  3. 05.03.2026 10:50 3 articles · 29d ago

    Cisco releases March 2026 bundled publication with 25 security advisories

    Cisco released a March 2026 bundled publication containing 25 security advisories detailing vulnerabilities in enterprise networking products, including nine high-severity vulnerabilities in the ASA Firewall, Secure FMC, and Secure FTD appliances. The vulnerabilities could be exploited to conduct SQL injection attacks, cause denial-of-service (DoS) conditions, and read, create, or overwrite sensitive files. Cisco is not aware of any of these vulnerabilities being exploited in the wild. The security advisories were published on March 4 and cover 48 vulnerabilities in various enterprise networking products.

    Show sources
    Open in new tab
  4. 04.03.2026 21:12 4 articles · 29d ago

    Cisco patches two maximum-severity vulnerabilities in Secure Firewall Management Center

    The authentication bypass flaw (CVE-2026-20079) is due to an improper system process that is created at boot time, allowing attackers to execute a variety of scripts and commands that allow root access to the device. The remote code execution (RCE) vulnerability (CVE-2026-20131) is due to insecure deserialization of a user-supplied Java byte stream, allowing attackers to execute arbitrary code on the device and elevate privileges to root. There are no workarounds to mitigate either vulnerability, and Cisco urged customers to upgrade to the fixed software indicated in the advisory. This phase is now expanded to note that CVE-2026-20131 was exploited by the Interlock ransomware gang in zero-day attacks and added to CISA’s catalog of exploited vulnerabilities.

    Show sources
    Open in new tab
  5. 15.08.2025 09:49 3 articles · 7mo ago

    Critical RADIUS Authentication Flaw in Cisco Secure Firewall Management Center Disclosed

    Cisco has disclosed and patched a critical vulnerability in the RADIUS subsystem of Secure Firewall Management Center (FMC) Software. The flaw, CVE-2025-20265, allows unauthenticated, remote attackers to execute arbitrary shell commands on affected systems. The issue affects FMC Software versions 7.0.7 and 7.7.0 when RADIUS authentication is enabled for web-based management or SSH. Successful exploitation can lead to high-privilege command execution. The flaw was discovered by Brandon Sakai during internal security testing. This phase is expanded to include a brief note about the evolution of Cisco’s vulnerability landscape in early 2026 and the subsequent expansion of high-severity issue disclosures.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

DNS Exfiltration in AWS Bedrock Code Interpreter

Security researchers and BeyondTrust demonstrated a DNS-based data exfiltration method in AWS Bedrock AgentCore Code Interpreter's sandbox mode, allowing attackers to establish bidirectional command-and-control channels, obtain interactive reverse shells, and exfiltrate sensitive data via DNS queries despite network isolation restrictions. The technique leverages malicious instructions embedded in files and requires overly permissive IAM roles to access AWS resources such as S3 buckets. AWS confirmed the behavior as intended functionality and updated documentation, recommending migration from sandbox mode to VPC mode for sensitive workloads. BeyondTrust assigned a CVSS score of 7.5 to the issue. The findings highlight architectural challenges in sandbox isolation and underscore the risks of overprivileged IAM roles in AI code execution environments.

Open in new tab

Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023

A critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been actively exploited in zero-day attacks since at least 2023. The flaw allows remote attackers to compromise controllers and add malicious rogue peers to targeted networks. The vulnerability stems from a peering authentication mechanism that does not work properly, enabling attackers to log in as high-privileged users and manipulate network configurations. Cisco has released specific software updates to address the issue, and CISA has issued an emergency directive requiring federal agencies to patch affected systems by February 27, 2026. Attackers have been found to leverage the built-in update mechanism to stage a software version downgrade and escalate to the root user by exploiting CVE-2022-20775, and have taken steps to clear evidence of the intrusion by purging logs and command history. Additionally, Cisco has flagged two more Catalyst SD-WAN Manager security flaws (CVE-2026-20128 and CVE-2026-20122) as actively exploited in the wild, urging administrators to upgrade vulnerable devices. CVE-2026-20128 is an information disclosure issue affecting the Data Collection Agent (DCA) feature, allowing an authenticated, local attacker to gain DCA user privileges. CVE-2026-20122 is an arbitrary file overwrite bug affecting the API, allowing a remote, authenticated attacker to overwrite arbitrary files and gain elevated privileges. Cisco Talos has linked the attacks exploiting CVE-2026-20127 to UAT-8616, a highly sophisticated threat actor active since at least 2023. Cisco has also released updates to address two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software: CVE-2026-20079 and CVE-2026-20131.

Open in new tab

Unauthenticated Remote Code Execution in Grandstream GXP1600 VoIP Phones

A critical vulnerability (CVE-2026-2329) in Grandstream GXP1600 series VoIP phones allows unauthenticated remote code execution (RCE) with root privileges. The flaw, a stack-based buffer overflow, stems from the device's web-based API service. The vulnerability affects multiple GXP1600 models and has been addressed in firmware version 1.0.7.81. Exploiting this flaw could enable attackers to extract stored credentials, intercept phone calls, and eavesdrop on VoIP conversations. The issue was discovered by Rapid7 researcher Stephen Fewer and demonstrated via a Metasploit exploit module. The exploitation process involves writing multiple null bytes to construct a return-oriented programming (ROP) chain, allowing attackers to silently eavesdrop on communications.

Open in new tab

Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. Threat actors have been observed exploiting CVE-2026-1731 to conduct network reconnaissance, deploy web shells, establish command-and-control (C2) channels, install backdoors and remote management tools, perform lateral movement, and exfiltrate data. The attacks have targeted financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors across the U.S., France, Germany, Australia, and Canada. The vulnerability enables attackers to inject and execute arbitrary shell commands via the affected 'thin-scc-wrapper' script through the WebSocket interface. Attackers have deployed multiple web shells, including a PHP backdoor and a bash dropper, to maintain persistent access. Malware such as VShell and Spark RAT have been deployed as part of the exploitation. Out-of-band application security testing (OAST) techniques have been used to validate successful code execution and fingerprint compromised systems. Sensitive data, including configuration files, internal system databases, and a full PostgreSQL dump, have been exfiltrated to an external server. CVE-2026-1731 and CVE-2024-12356 share a common issue with input validation within distinct execution pathways. CVE-2026-1731 could be a target for sophisticated threat actors, similar to CVE-2024-12356 which was exploited by China-nexus threat actors like Silk Typhoon. CISA has confirmed that CVE-2026-1731 has been exploited in ransomware campaigns. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13 and gave federal agencies three days to apply the patch or stop using the product. Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after the initial disclosure, and exploitation was detected on January 31, making it a zero-day vulnerability for at least a week. CISA has activated the 'Known To Be Used in Ransomware Campaigns?' indicator in the KEV catalog for CVE-2026-1731. Customers of the cloud-based application (SaaS) had the patch applied automatically on February 2. Self-hosted instance customers need to either enable automatic updates or manually install the patch. For Remote Support, the recommended version is 25.3.2. For Privileged Remote Access, the recommended version is 25.1.1 or newer. Customers still using RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.

Open in new tab

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog

CISA added the stored cross-site scripting (XSS) vulnerability CVE-2025-66376 in Zimbra Collaboration Suite (ZCS) to its Known Exploited Vulnerabilities (KEV) catalog on March 18, 2026. The flaw, patched in early November 2025, allows unauthenticated attackers to execute arbitrary JavaScript via malicious HTML emails, enabling session hijacking and data theft in compromised Zimbra environments. CISA ordered U.S. federal agencies to patch the flaw by April 1, 2026 under BOD 22-01 and encouraged all organizations to apply mitigations promptly. Russian state-sponsored threat group APT28 (Fancy Bear, Strontium), linked to Russia's military intelligence service (GRU), is actively exploiting CVE-2025-66376 in attacks targeting Ukrainian government entities, including the Ukrainian State Hydrology Agency, as part of a phishing campaign codenamed Operation GhostMail. The attack chain relies on malicious HTML email bodies with obfuscated JavaScript payloads that execute silently in vulnerable Zimbra webmail sessions to harvest credentials, session tokens, 2FA codes, saved passwords, and mailbox contents dating back 90 days, with data exfiltrated over DNS and HTTPS. This exploitation follows prior Russian campaigns against Zimbra infrastructure, including operations by Winter Vivern (since February 2023) and APT29 (Cozy Bear, Midnight Blizzard) in October 2024.

Open in new tab