CVE-2026-20131 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-03-04

Added to CISA KEV: 2026-03-19 15 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Immediately check for indicators of compromise - this vulnerability is actively exploited by ransomware groups. Review FMC logs for suspicious HTTP requests, unauthorized access, and verify system integrity
Apply Cisco security patches immediately for all affected FMC versions (6.4.0.13 through 10.0.0)
Restrict FMC management interface access to trusted networks only - remove internet exposure if possible
Monitor FMC web interface logs for crafted serialized Java object requests and unusual activity
Implement network segmentation to isolate FMC management interfaces
Deploy endpoint detection and response (EDR) solutions to detect potential ransomware deployment

🔍 Web Intelligence (Kagi · 2026-03-19)

CVE-2026-20131 is a critical vulnerability affecting Cisco Secure Firewall Management Center (FMC) Software ^[1] ^[2] ^[3] ^[16] ^[15] ^[14] ^[2]. It is a case of insecure deserialization of a user-supplied Java byte stream, allowing an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device ^[1] ^[3] ^[12] ^[16] ^[5] ^[15] ^[14] ^[2]. Internet-Facing Applications and Services: The vulnerability resides in the web-based management interface of the Cisco FMC software ^[2] ^[3] ^[16] ^[2]. If this interface has public internet access, the attack surface is reduced ^[2]. External exploitability is a significant concern, as vulnerabilities exploitable via the internet score higher in terms of attack vector ^[8]. Evidence of Active Exploitation in the Wild: Yes, there is clear evidence of active exploitation ^[9] ^[11] ^[13] ^[6] ^[19] ^[18] ^[17] ^[14]. Cisco has confirmed reports of active exploitation ^[9] ^[13], and threat actors associated with the Interlock ransomware group have been exploiting this vulnerability as a zero-day since January 26, 2026, more than a month before its public disclosure ^[1] ^[11] ^[6] ^[14]. Attack Vectors and Exploitation Methods: The primary attack vector involves sending a crafted serialized Java object to the web-based management interface of an affected device ^[3] ^[12] ^[16] ^[15] ^[2]. This can allow an unauthenticated, remote attacker to execute arbitrary Java code as root ^[1] ^[3] ^[12] ^[16] ^[5] ^[15] ^[14] ^[2]. The exploit has low attack complexity and requires no privileges, making it an easy target for cybercriminals ^[4]. Observed activity has involved HTTP requests to a specific path in the affected software ^[5]. Use in Targeted Attacks: The Interlock ransomware group has been actively exploiting CVE-2026-20131 in targeted attacks against enterprise firewall systems ^[6] ^[17] ^[5] ^[14]. CISA Known Exploited Vulnerabilities (KEV) Status: As of the provided information, CVE-2026-20131 is not explicitly listed on the CISA Known Exploited Vulnerabilities (KEV) Catalog ^[7] ^[20]. However, CISA has warned of active exploitation for other vulnerabilities around the same time ^[11] ^[18] ^[21] ^[22] ^[23]. Technical Details about Internet Exploitability: The vulnerability is a Remote Code Execution (RCE) flaw ^[5] ^[15]. It is due to insecure deserialization of user-supplied Java byte streams ^[1] ^[3] ^[24] ^[16] ^[15] ^[2]. An attacker can exploit this by sending a crafted serialized Java object to the web interface ^[3] ^[2]. A successful exploit allows the attacker to execute arbitrary code on the device and elevate privileges to root ^[2]. The exploitability is high due to low attack complexity and no required privileges ^[4]. While some sources indicate no public Proof-of-Concept (PoC) exploits have been reported ^[10] ^[12], the active exploitation in the wild by ransomware groups confirms its practical exploitability.

Sources

Interlock Ransomware Exploits Cisco FMC Zero-Day...
The vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device. According to data gl…
CVE-2026-20131 - NVD
CVE-2026-20131 Detail.An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If t…
Cisco Secure Firewall Management Center Software Remote Code Execution ...
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java…
CVE-2026-20131 Security Vulnerability & Exploit Details
The exploitability of CVE-2026-20131 depends on two key factors: attack complexity (the level of effort required to execute an exploit) and privileges required (the access level an attacker needs). Exploitability Analysis for CVE-2026-20131 With low attack complexity and no required privileges, CVE-…
Interlock ransomware gang exploits Cisco firewall zero-day in targeted...
The flaw, tracked as CVE-2026-20131, is a remote code execution (RCE) vulnerability that allows unauthenticated attackers to execute arbitrary Java code with root privileges on affected devices.The attacks reportedly targeted enterprise firewall systems. “Observed activity involved HTTP requests to…

🔴 CVE-2026-20131

📋 Vulnerability Details

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-03-19)

Sources