Critical insecure deserialization vulnerability in Cisco Secure Firewall Management Center web interface allows unauthenticated remote code execution as root. Already exploited in the wild by Interlock ransomware group since January 2026.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-03-04
Added to CISA KEV: 2026-03-19 15 DAYS BETWEEN CVE AND KEV
The vulnerability in question is CVE-2026-20131 (CVSS score: 10.0), a case of insecure deserialization of user-supplied Java byte stream, which could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary Java code as root on an affected device. According to data gleaned from the tech giant's MadPot global sensor network, the security flaw is said to have been exploited as a zero-day since January 26, 2026, more than a month before it was publicly disclosed by Cisco.
CVE-2026-20131 Detail.An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java ...
The exploitability of CVE-2026-20131 depends on two key factors: attack complexity (the level of effort required to execute an exploit) and privileges required (the access level an attacker needs). Exploitability Analysis for CVE-2026-20131 With low attack complexity and no required privileges, CVE-2026-20131 is an easy target for cybercriminals. Organizations should prioritize immediate ...
The flaw, tracked as CVE-2026-20131, is a remote code execution (RCE) vulnerability that allows unauthenticated attackers to execute arbitrary Java code with root privileges on affected devices.The attacks reportedly targeted enterprise firewall systems. βObserved activity involved HTTP requests to a specific path in the affected software,β the report says.