Cisco Secure Firewall Management Center Insecure Deserialization Vulnerability

CVE-2026-20131 is a critical remote code execution vulnerability affecting Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control Firewall Management. Cisco assigns a CVSS v3.1 score of 10.0 and attributes the issue to insecure deserialization of user-supplied Java objects in the web-based management interface. An unauthenticated remote attacker can exploit this flaw to execute arbitrary code as root. Cisco and multiple security reports confirm that this vulnerability has been exploited in the wild, including in ransomware campaigns.

Technical Details

Cisco describes CVE-2026-20131 as a vulnerability in the web-based management interface caused by unsafe deserialization of user-controlled Java data.

The vulnerability does not require authentication or user interaction. An attacker can send a crafted HTTP request containing a malicious serialized Java object to the FMC interface. When processed, the application deserializes the object without proper validation, resulting in arbitrary Java code execution with root privileges.

The vulnerability affects Cisco Secure FMC Software and Cisco Security Cloud Control Firewall Management regardless of configuration. Cisco notes that limiting exposure of the management interface reduces attack surface but does not eliminate risk.

Because FMC serves as the centralized management plane for firewall policy and visibility, successful exploitation can allow attackers to execute commands as root and potentially impact firewall operations, configurations, and access control across the environment.

Stop Guessing, Start Proving

NodeZero® Proactive Security Platform — Rapid Response

The Rapid Response test in NodeZero is designed to help security teams answer the question that matters most: is this actually exploitable in our environment? For CVE-2026-20131, the test can be used to validate exposure before remediation and confirm the issue is no longer exploitable after the fix is applied.

• Run the Rapid Response test
  Use NodeZero to verify whether Cisco FMC instances are susceptible to unauthenticated remote code execution.
• Patch immediately
  Cisco has released software updates to address this vulnerability. Organizations should upgrade to the fixed versions identified in Cisco’s advisory. Cisco states that no workarounds are available.
• Re-run the Rapid Response test
  After patching, re-test to confirm the vulnerability is no longer exploitable and that remediation was effective.

Indicators of Compromise

Cisco has not published a detailed list of indicators such as attacker IP addresses, file hashes, or filenames for CVE-2026-20131.

However, based on observed exploitation and reported attack activity, defenders should monitor for:

• Unexpected or suspicious HTTP requests to the FMC web interface, particularly those containing serialized payloads
• Outbound connections initiated from the FMC appliance to unknown or untrusted external systems
• Execution of unexpected processes or commands on the FMC system
• Unexplained changes to firewall configurations, policies, or administrative settings
• Evidence of persistence mechanisms or unauthorized access originating from the FMC host
• Public reporting linked exploitation of this vulnerability to ransomware campaigns, indicating that attackers may use initial access to establish persistence and move laterally.

Affected versions & patch

Affected:

• Cisco Secure Firewall Management Center (FMC) Software
• Cisco Security Cloud Control Firewall Management

Patch:

Cisco has released software updates to remediate this vulnerability. Customers should use Cisco’s Software Checker and advisory to identify the appropriate fixed release for their deployment.

Cisco states that there are no workarounds available for this vulnerability.

For Cisco Security Cloud Control Firewall Management, updates are applied by Cisco as part of standard SaaS maintenance.

Timeline

• March 4, 2026: Cisco published its security advisory and released patches for CVE-2026-20131.
• March 18, 2026: AWS threat intelligence reported exploitation of CVE-2026-20131 in ransomware activity.
• March 19, 2026: Cisco updated its advisory to include evidence of in-the-wild exploitation.
• March 19, 2026: CISA added CVE-2026-20131 to the Known Exploited Vulnerabilities (KEV) catalog.
• March 22, 2026: Deadline issued for U.S. federal agencies to remediate or discontinue use of affected systems.

References

• Cisco Security Advisory — Cisco Secure Firewall Management Center Software Remote Code Execution Vulnerability
• CVE Record — CVE-2026-20131
• CISA KEV Catalog — Known Exploited Vulnerabilities Catalog
• AWS Security Blog — Interlock ransomware campaign targeting enterprise firewalls
• SecurityWeek — Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks
• BleepingComputer — CISA orders feds to patch max-severity Cisco flaw by Sunday