CVE-2026-20131

Name of the Vulnerable Software and Affected Versions Cisco Secure Firewall Management Center (FMC) (affected versions not specified) Cisco Security Cloud Control (SCC) Firewall Management (affected versions not specified)

Description A flaw in the web-based management interface of the software allows an unauthenticated remote attacker to execute arbitrary Java code with root privileges. The issue is caused by insecure deserialization of a user-supplied Java byte stream, where an attacker can send a crafted serialized Java object to the management interface to achieve remote code execution and privilege escalation. The Interlock ransomware group exploited this as a zero-day starting January 26, 2026, approximately 36 to 38 days before a patch was released. Post-compromise activities included deploying ScreenConnect for persistent access and using PowerShell scripts to harvest software inventories, running services, browser credentials, and network connections. The attack surface is reduced if the management interface is not accessible via the public internet.

Recommendations Apply the patch released on March 4, 2026. Restrict public internet access to the management interface to reduce the attack surface. Monitor logs for anomalous HTTP requests to the management interface dating back to January 26, 2026.