CVE-2026-20131

Name of the Vulnerable Software and Affected Versions Cisco Secure Firewall Management Center (FMC) Software versions prior to the fix released on March 4, 2026.

Description A critical vulnerability exists in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software. This flaw, identified as CVE-2026-20131, is due to insecure deserialization of user-supplied Java byte streams, allowing an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. The Interlock ransomware group actively exploited this vulnerability for 36 days before Cisco's public disclosure. Attackers deployed ScreenConnect for persistent remote access, PowerShell reconnaissance scripts, and data exfiltration. The vulnerability allows for remote code execution with root privileges and has been actively exploited in the wild, impacting organizations across various sectors. The vulnerability is rated with a CVSS score of 10.0.

Recommendations Apply the security updates released by Cisco on March 4, 2026, to address this vulnerability. Restrict access to the web management interface to a trusted network segment. Audit FMC access logs for anomalous activity dating back to January 26, 2026. Rotate all credentials stored on the FMC.