CVE-2026-20131

CriticalCISA KEVActive ExploitationRansomware-linkedRCE

Published: 04 March 2026

Published

04 March 2026

Modified

25 March 2026

KEV Added

19 March 2026

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0172 82.6th percentile

Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20131 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Cisco Secure Firewall Management Center. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by identifying, prioritizing, and applying vendor patches to remediate the insecure deserialization flaw.

SI-10 Information Input Validation good match

prevent

Validates user-supplied Java byte streams at the web interface to block crafted serialized objects that enable arbitrary code execution.

SC-7 Boundary Protection partial match

prevent

Enforces network boundaries to restrict remote access to the web management interface, reducing the unauthenticated attack surface especially from the public internet.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote code execution via insecure deserialization in the web-based management interface of a network device directly enables T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a…

user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.

Deeper analysisAI

CVE-2026-20131 is a critical vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, stemming from insecure deserialization of a user-supplied Java byte stream. It enables an unauthenticated, remote attacker to execute arbitrary Java code with root privileges on affected devices. The issue carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is classified under CWE-502 (Deserialization of Untrusted Data). The vulnerability was published on 2026-03-04.

An unauthenticated, remote attacker can exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface. Successful exploitation allows the attacker to execute arbitrary code on the device and elevate privileges to root. The attack surface is reduced if the FMC management interface lacks public internet access.

The Cisco Security Advisory (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh) details affected versions and available patches. CISA has added CVE-2026-20131 to its Known Exploited Vulnerabilities catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20131), indicating active exploitation.

Amazon Threat Intelligence has identified the Interlock ransomware campaign targeting enterprise firewalls, as noted in their blog (https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/), highlighting real-world exploitation risks.

Details

CWE(s): CWE-502
KEV Date Added: 19 March 2026

Affected Products

cisco

secure firewall management center

10.0.0, 6.4.0.13, 6.4.0.14, 6.4.0.15, 6.4.0.16

Threat-Actor AttributionAI

Interlock

Amazon Threat Intelligence linked Interlock ransomware campaign to exploitation of this Cisco FMC RCE against enterprise firewalls (AWS Security Blog, CISA KEV).

CVEs Like This One

CVE-2025-20265Same product: Cisco Secure Firewall Management Center

CVE-2025-20337Same vendor: Ciscoboth on KEV

CVE-2026-20127Same vendor: Ciscoboth on KEV

CVE-2025-20393Same vendor: Ciscoboth on KEV

CVE-2025-0994Shared CWE-502both on KEV

CVE-2025-55182Shared CWE-502both on KEV

CVE-2025-20352Same vendor: Ciscoboth on KEV

CVE-2026-20128Same vendor: Ciscoboth on KEV

CVE-2026-20963Shared CWE-502both on KEV

CVE-2025-20333Same vendor: Ciscoboth on KEV

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
Vendor Advisory · psirt@cisco.com
https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/
Technical Description · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20131
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0