CVE-2026-20131

Name of the Vulnerable Software and Affected Versions Cisco Secure Firewall Management Center (FMC) (affected versions not specified) Cisco Security Cloud Control (SCC) Firewall Management (affected versions not specified)

Description A flaw in the web-based management interface of Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC) Firewall Management allows an unauthenticated remote attacker to execute arbitrary Java code with root privileges. The issue is caused by insecure deserialization of a user-supplied Java byte stream, where an attacker can send a specially crafted serialized Java object to the management interface to gain control of the device. This flaw was exploited as a zero-day by the Interlock ransomware group starting January 26, 2026, approximately 36 to 38 days before a patch was released. Following successful exploitation, attackers deployed ScreenConnect for persistent access and used PowerShell scripts to harvest software inventories, running services, browser credentials, and network connections before exfiltrating data.

Recommendations Apply the patch released on March 4, 2026. Restrict public internet access to the FMC management interface to reduce the attack surface. Monitor logs for anomalous HTTP requests to the management interface dating back to January 26, 2026.