Cyber Resilience

CVE-2026-20131

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linkedRCE

Published: 04 March 2026

Published
04 March 2026
Modified
25 March 2026
KEV Added
19 March 2026
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.2755 97.8th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-20131 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Cisco Secure Firewall Management Center. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-20131 is a critical vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, stemming from insecure deserialization of a user-supplied Java byte stream. It enables an unauthenticated, remote attacker to execute arbitrary Java code with root privileges on affected devices. The issue carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is classified under CWE-502 (Deserialization of Untrusted Data). The vulnerability was published on 2026-03-04.

An unauthenticated, remote attacker can exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface. Successful exploitation allows the attacker to execute arbitrary code on the device and elevate privileges to root. The attack surface is reduced if the FMC management interface lacks public internet access.

The Cisco Security Advisory (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh) details affected versions and available patches. CISA has added CVE-2026-20131 to its Known Exploited Vulnerabilities catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20131), indicating active exploitation.

Amazon Threat Intelligence has identified the Interlock ransomware campaign targeting enterprise firewalls, as noted in their blog (https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/), highlighting real-world exploitation risks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a…

more

user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.

CWE(s)
KEV Date Added
19 March 2026

Related Threats

Threat-Actor AttributionAI

Interlock
AWS threat intel and CISA KEV link Interlock ransomware campaign to exploitation of this Cisco FMC RCE (insecure deserialization).

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote code execution via insecure deserialization in the web-based management interface of a network device directly enables T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-20265Same product: Cisco Secure Firewall Management Center
CVE-2025-20393Same vendor: Ciscoboth on KEV
CVE-2026-20127Same vendor: Ciscoboth on KEV
CVE-2025-20337Same vendor: Ciscoboth on KEV
CVE-2025-20333Same vendor: Ciscoboth on KEV
CVE-2025-0994Shared CWE-502both on KEV
CVE-2025-59287Shared CWE-502both on KEV
CVE-2026-20128Same vendor: Ciscoboth on KEV
CVE-2025-26399Shared CWE-502both on KEV
CVE-2026-45247Shared CWE-502both on KEV

Affected Assets

cisco
secure firewall management center
10.0.0, 6.4.0.13, 6.4.0.14, 6.4.0.15, 6.4.0.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by identifying, prioritizing, and applying vendor patches to remediate the insecure deserialization flaw.

prevent

Validates user-supplied Java byte streams at the web interface to block crafted serialized objects that enable arbitrary code execution.

prevent

Enforces network boundaries to restrict remote access to the web management interface, reducing the unauthenticated attack surface especially from the public internet.

References