CVE-2026-20131

CVE-2026-20131 is a critical vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, stemming from insecure deserialization of a user-supplied Java byte stream. It enables an unauthenticated, remote attacker to execute arbitrary Java code with root privileges on affected devices. The issue carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is classified under CWE-502 (Deserialization of Untrusted Data). The vulnerability was published on 2026-03-04.

An unauthenticated, remote attacker can exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface. Successful exploitation allows the attacker to execute arbitrary code on the device and elevate privileges to root. The attack surface is reduced if the FMC management interface lacks public internet access.

The Cisco Security Advisory (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh) details affected versions and available patches. CISA has added CVE-2026-20131 to its Known Exploited Vulnerabilities catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20131), indicating active exploitation.

Amazon Threat Intelligence has identified the Interlock ransomware campaign targeting enterprise firewalls, as noted in their blog (https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/), highlighting real-world exploitation risks.