CVE-2026-20131 (CRITICAL, CVSS 10.0) in Cisco actively exploited (CISA KEV): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as roo...
CVE-2026-20131 is a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) Software affecting version 6.4.0.13 and potentially other releases. The vulnerability stems from insecure deserialization of untrusted Java objects within the web-based management interface, enabling unauthenticated attackers to execute arbitrary code with root privileges on affected devices.
The vulnerability was discovered through security research and formally documented by Cisco in their security advisory. Notably, this vulnerability has been actively exploited in the wild since at least March 19, 2026, with known connections to Interlock ransomware campaigns targeting enterprise firewall infrastructure. Its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog reflects the severity and real-world threat landscape.
The attack exploits CWE-502 (Deserialization of Untrusted Data), a critical class weakness affecting Java applications. An unauthenticated remote attacker can craft a malicious serialized Java object and transmit it directly to the FMC management interface. The vulnerable deserialization handler processes this untrusted byte stream without proper validation, allowing instantiation of arbitrary classes with attacker-controlled parameters.
The attack requires network access to the FMC management interface but no credentials. The attacker leverages Java reflection and gadget chains within available libraries to achieve code execution. Successful exploitation grants root-level command execution, providing complete system compromise and persistence capabilities.
With a perfect CVSS 3.1 score of 10.0 and RiskScore of 94/100, this vulnerability represents critical infrastructure risk. FMC devices serve as centralized management platforms for enterprise firewall deployments; compromise enables lateral movement across security infrastructure. Active ransomware exploitation amplifies urgency. Organizations with internet-exposed FMC interfaces face immediate threat.
Apply Cisco patches immediately per advisory guidance. Isolate FMC management interfaces from public internet access; restrict access to authorized administrative networks only. Monitor firewall logs for serialized object submissions to management endpoints. Organizations unable to patch must discontinue FMC use per BOD 22-01 requirements for cloud services.