What is CVE-2026-20099?

CVE-2026-20099 is a medium-severity vulnerability in Cisco Firepower Extensible Operating System (Fxos), classified under OS Command Injection. CVSS score: 6.7/10. Published 2026-02-25.

How severe is CVE-2026-20099?

Medium severity. CVSS v3 base score is 6.7 out of 10.

RCE in Cisco Firepower Extensible Operating System (Fxos)

CVE-2026-20099

A vulnerability in the web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker with administrative privileges to perform command injection attacks on an affecte…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.001 (17.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.7 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Affected products

Cisco Firepower Extensible Operating System (Fxos) — versions 2.3.1.99, 2.3.1.56, 2.3.1.110
Cisco Secure Firewall Adaptive Security Appliance (Asa) Software — versions 9.12.2, 9.12.1, 9.12.3
Cisco Unified Computing System (Managed) — versions 4.0(4h), 4.1(1a), 4.0(1c)

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

cisco-sa-ucsciv-wGYtC78q

Frequently asked questions

What is CVE-2026-20099?: CVE-2026-20099 is a medium-severity vulnerability in Cisco Firepower Extensible Operating System (Fxos), classified under OS Command Injection. CVSS score: 6.7/10. Published 2026-02-25.
How severe is CVE-2026-20099?: Medium severity. CVSS v3 base score is 6.7 out of 10.