Command Injection Vulnerability in Cisco FXOS and UCS Manager Software
CVE-2026-20099

6.7MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Firepower Extensible Operating System (fxos); Cisco Secure Firewall Adaptive Security Appliance (asa) Software; Cisco Unified Computing System (managed)
Vendor: CVE Published:; 25 February 2026

Badges

👾 Exploit Exists

What is CVE-2026-20099?

A serious command injection vulnerability exists in the web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software. This security flaw allows an authenticated local attacker with administrative privileges to execute arbitrary commands on the device's underlying operating system. The vulnerability arises from inadequate input validation of user-supplied command arguments. By exploiting this issue, an attacker could escalate their privileges to root, compromising the entire system. It is crucial for administrators to promptly apply appropriate security measures to mitigate this risk.

Affected Version(s)

Cisco Firepower Extensible Operating System (FXOS) 2.3.1.99

Cisco Firepower Extensible Operating System (FXOS) 2.3.1.56

Cisco Firepower Extensible Operating System (FXOS) 2.3.1.110

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Feb 25, 2026
Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Oct 8, 2025

CVE-2026-20099 Data

JSON