CVE-2026-20099 — OS Command Injection in Cisco Firepower Extensible Operating System

CWE-78 — OS Command Injection4 documents4 sources

Severity

6.7MEDIUMNVD

EPSS

0.1%

top 80.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco Firepower Extensible Operating System Cisco Secure Firewall Adaptive Security Appliance Software Cisco Unified Computing System

Timeline

PublishedFeb 25

Description

A vulnerability in the web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker with administrative privileges to perform command injection attacks on an affected system and elevate privileges to root. This vulnerability is due to insufficient input validation of command arguments supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected co…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5cisco/cisco_firepower_extensible_operating_system83 versions+82

▶CVEListV5cisco/cisco_unified_computing_system87 versions+86

▶CVEListV5cisco/cisco_secure_firewall_adaptive_security_appliance_software135 versions+134

🔴Vulnerability Details

CVEList

Cisco UCS Manager and FXOS Software Command Injection Vulnerability↗2026-02-25

▶

GHSA

GHSA-687g-rcf9-r6r3: A vulnerability in the web-based management interface of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attack↗2026-02-25

▶

📋Vendor Advisories

Cisco

Cisco FXOS and UCS Manager Software Command Injection Vulnerability↗2026-02-25

▶