IT Knowledge Bases

CVE-2026-20131: Critical Cisco FMC Remote Code Execution — What You Need to Know

CVE-2026-20131: Critical Cisco FMC Remote Code Execution — What You Need to Know

Executive Summary (For Management)

Your organization’s firewall is only as secure as the system managing it. CVE-2026-20131 is a remote code execution (RCE) vulnerability in Cisco Secure Firewall Management Center (FMC), the central platform many organizations use to manage and coordinate their entire Cisco firewall estate. Abstract This is not a theoretical risk. It is an active, confirmed threat.

The vulnerability carries a maximum CVSS score of 10.0. On March 18, 2026, Cisco updated its advisory to warn of active exploitation in the wild. The following day, March 19, 2026, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and mandated that all federal civilian agencies remediate by March 22, 2026. Security Boulevard

Why this is a business risk, not just an IT problem:

This is not just compromise of a single device. CVE-2026-20131 lands in the management plane, the system that tells all your other security controls what to do. An attacker who compromises FMC can alter firewall rules, suppress security alerts, and use that foothold to penetrate deeper into your network. Penligent

Amazon Threat Intelligence has linked active exploitation of this vulnerability to the Interlock ransomware group, which exploited this as a zero-day, meaning they had a working exploit before Cisco or the public knew the flaw existed. The Hacker News

Bottom line: If your organization runs Cisco FMC on-premises and has not yet patched, you should treat this as an emergency action item. There are no workarounds, only patching resolves this vulnerability.

Technical Deep Dive (For Security Teams & SOC Analysts)

Vulnerability Overview

FieldDetail
CVE IDCVE-2026-20131
Affected ProductCisco Secure Firewall Management Center (FMC)
CVSS Score10.0 (Critical)
CWE ClassificationCWE-502 — Deserialization of Untrusted Data
Attack VectorNetwork (Remote)
Authentication RequiredNone
User Interaction RequiredNone
ScopeChanged (S:C — can impact managed FTD devices)
DisclosedMarch 4, 2026
Exploitation StatusActively exploited in the wild
CISA KEV ListedYes — March 19, 2026

Root Cause Analysis

The root cause is insecure deserialization of user-supplied Java byte streams in the FMC web-based management interface. When the FMC processes incoming serialized Java objects, it fails to properly validate or sanitize input before deserializing — allowing attackers to inject malicious payloads that execute arbitrary code on the device. SentinelOne

In Java, deserialization converts byte streams back into objects. When applications blindly deserialize untrusted input, attackers can craft payloads using gadget chains from classes already loaded in the JVM to trigger arbitrary method execution — a well-documented class of vulnerability (see: Apache Commons Collections, Log4Shell-adjacent chains, etc.). Cisco’s FMC exposed this attack surface through its web management interface with no authentication gate in front of the deserialization logic.

Attack Chain

The exploitation flow works as follows: an attacker sends a crafted serialized Java object to the web-based management interface of a vulnerable FMC device, the device deserializes the object allowing the attacker to execute arbitrary Java code, and the attacker then gains root access — potentially allowing modification of configuration files, theft of sensitive data, or disruption of network operations. Cveintel

From a network perspective: the attack requires only network access to the management interface (TCP 443) and does not require authentication. Due to the privileges of the web management service, successful exploitation results in code execution as root. SentinelOne

Real-world exploit behavior observed by Amazon’s MadPot:

Observed activity involved HTTP requests to a specific path in the affected software. Request bodies contained Java code execution attempts and two embedded URLs — one used to deliver configuration data supporting the exploit, and another designed to confirm successful exploitation by causing a vulnerable target to perform an HTTP PUT request and upload a generated file. Help Net Security

Zero-Day Timeline

Amazon threat intelligence identified exploitation activity beginning January 26, 2026 — more than 36 days before Cisco publicly disclosed the flaw on March 4, 2026. The activity has been attributed to the Interlock ransomware group. Help Net Security

Zscaler ThreatLabz observed additional exploit activity starting February 25, 2026, targeting organizations in the Technology and Software sectors in the United States. The exploit attempts originated from multiple IP addresses sending specially crafted Java deserialization payloads, using publicly available proof-of-concept code from GitHub. Security Boulevard

Affected Versions

The following FMC software branches are affected and require immediate updates:

  • 6.x — All versions (end-of-life branch, no patch; upgrade required)
  • 7.0.x — Prior to 7.0.6.3
  • 7.2.x — Prior to 7.2.5.1
  • 7.4.x — Prior to 7.4.2.1 Security Boulevard

For the 7.4.x and 7.6.x branches specifically, note the distinction: the companion authentication bypass CVE-2026-20079 may be addressed at 7.4.4/7.6.4, but CVE-2026-20131 requires upgrade to 7.4.6 and 7.6.5 respectively. Teams that stop at the wrong fixed point can leave this pre-auth RCE path open while believing they are fully remediated. Penligent

Not affected: Cloud-Delivered FMC (cdFMC) is not affected. Abstract Cisco Security Cloud Control (SCC) Firewall Management is also affected, however Cisco upgraded that service as part of routine maintenance and no user action is required for SCC. Arctic Wolf

Detection Guidance

Watch for the following indicators in your environment:

  • Unusual Java serialization traffic to the FMC management interface on TCP 443
  • Unexpected process spawning from the FMC web service with root-level privileges
  • Anomalous outbound connections originating from the FMC device itself (especially HTTP PUT requests to unknown hosts — this is consistent with the callback behavior observed by Amazon)
  • Suspicious entries in FMC web server logs — look for requests to the specific vulnerable management path with oversized or binary-encoded POST bodies
  • Lateral movement indicators on downstream FTD devices shortly following any anomalous FMC activity

Remediation Steps

  1. Inventory all on-premises Cisco FMC deployments in your environment using Cisco’s Software Checker tool.
  2. Patch immediately to the appropriate fixed release for your software branch (see version table above). There are no workarounds — patching is the only resolution.
  3. Restrict management interface access — FMC’s web management interface should never be exposed to the public internet. Use firewall ACLs to limit access to trusted administrator IP ranges only.
  4. Implement a jump host/bastion for all FMC administrative access.
  5. Enable MFA for all administrative accounts where supported.
  6. Hunt for indicators of prior compromise — given the 36-day zero-day window, assume a patching date of after January 26, 2026 may have still fallen within the exploitation period. Review FMC logs and downstream FTD device configurations for unauthorized changes.

CVSS Vector Breakdown

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The S:C (Scope: Changed) rating is notable — it means successful exploitation of FMC doesn’t just compromise the device itself. FMC’s scope of “Changed” means a compromise can impact the security of other components, such as Firewall Threat Defense (FTD) devices under its management. Abstract This single flaw effectively hands an attacker the keys to your entire Cisco firewall infrastructure.

Enjoy this? Check out More: CVE-2025-64155: FortiSIEM RCE Explained

David Wolfcale

,

Leave a Reply