CVE-2026-20131: Critical Cisco Firewall Zero-Day Being Actively Exploited — Patch Now
What Is This Vulnerability?
CVE-2026-20131 is a remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) — the web-based platform used to centrally manage Cisco Firepower and Firewall Threat Defense (FTD) devices.
The flaw is in how FMC handles Java object deserialization. An attacker can send a crafted serialized Java object to the FMC web management interface and have it executed on the server — no credentials required.
The numbers:
| Property | Value |
|---|---|
| CVE | CVE-2026-20131 |
| Cisco Advisory | cisco-sa-fmc-rce-NKhnULJh |
| CVSS 3.1 Score | 10.0 — Critical (maximum possible) |
| Vulnerability Type | Insecure Deserialization (CWE-502) |
| Authentication Required | None |
| User Interaction | None |
| Network Access | Remote, over the network |
| Attack Complexity | Low |
A CVSS score of 10.0 is rare. It means unauthenticated, low-complexity, network-accessible exploitation with full impact on confidentiality, integrity, and availability — and a "Scope: Changed" designation indicating the attacker can pivot beyond the vulnerable host itself.
Why This Is Worse Than a Typical Critical CVE
Most critical vulnerabilities compromise a single host. FMC is different: it's the management plane for all downstream Firewall Threat Defense devices. When FMC is compromised:
- The attacker gains root-level access to the FMC appliance
- From there, they have administrative control over every FTD firewall under FMC management
- Firewall policies, access control rules, and VPN configurations can be read, modified, or disabled
- The entire network perimeter becomes transparent to the attacker
This is a single exploit with the potential to collapse an organisation's entire Cisco-based security perimeter.
Who Is Affected?
Vulnerable:
- Cisco Secure Firewall Management Center (FMC) — all on-premises deployments
- Cisco Security Cloud Control (SCC) Firewall Management (since patched automatically)
Affected versions:
- All 6.x releases — no fix available, must upgrade
- 7.0.x prior to 7.0.6.3
- 7.2.x prior to 7.2.5.1
- 7.4.x prior to 7.4.2.1
Not affected:
- Cloud-Delivered FMC (cdFMC) — Cisco's SaaS-managed offering
What Attackers Are Doing With It
The Interlock ransomware gang began exploiting this as a zero-day on 26 January 2026 — 36 days before Cisco's public disclosure and patch on 4 March 2026.
Observed attack chain:
- Send crafted Java deserialization payload to the FMC management interface
- Gain unauthenticated root shell on the FMC appliance
- Deploy ScreenConnect (remote management tool) for persistent access
- Move laterally through managed firewall infrastructure
- Stage and deploy Interlock ransomware
Amazon threat intelligence teams identified and reported the campaign on 18 March 2026. CISA added CVE-2026-20131 to the Known Exploited Vulnerabilities (KEV) catalog the following day and mandated US federal civilian agencies patch within 72 hours — one of the most aggressive remediation deadlines CISA issues.
Immediate Actions
1. Determine Your Exposure
# On your FMC, check software version:
System > Updates > Product Updates (in FMC UI)
If you're on any affected version (all 6.x, 7.0.x < 7.0.6.3, 7.2.x < 7.2.5.1, 7.4.x < 7.4.2.1) — you are vulnerable.
2. Restrict Management Interface Access — Do This Now
Cisco confirms the attack surface is reduced when the FMC management interface is not exposed to the public internet. If your FMC is internet-facing:
- Immediately restrict access to the FMC web interface to trusted management IPs only
- Place it behind a management VPN or firewall ACL
- Audit who has network access to port 443 on your FMC host
This does not fix the vulnerability but significantly reduces the risk while you prepare to patch.
3. Patch to a Fixed Version
Cisco has released fixes. Upgrade to:
| Your Current Branch | Upgrade To |
|---|---|
| 6.x | Upgrade to 7.0.6.3, 7.2.5.1, or 7.4.2.1 |
| 7.0.x | 7.0.6.3 |
| 7.2.x | 7.2.5.1 |
| 7.4.x | 7.4.2.1 |
There are no workarounds. Patching is the only remediation.
4. Check for Indicators of Compromise
If your FMC was potentially exposed before patching, check for signs of compromise:
- Unexpected ScreenConnect or remote access software installed on the FMC host
- Anomalous Java processes running on the FMC appliance
- New or modified admin accounts in FMC
- Firewall policy changes you did not authorise — pull an audit log review
- Unexpected outbound connections from the FMC host, especially to unfamiliar IPs
If you find any of these, assume full compromise. The FMC host, all its managed FTD policies, and potentially the broader network should be treated as compromised.
Longer-Term Recommendations
Segment your management plane. FMC should never be on the same network segment as production traffic or reachable from the internet. Management interfaces belong in an out-of-band management network accessible only via VPN or a dedicated management host.
Review managed firewall policies. If there's any chance your FMC was exposed to exploitation, audit all policy changes made in the past 90 days across managed FTD devices. An attacker with FMC access could have made subtle policy modifications — open rules, new permit ACEs, disabled inspection policies — that survive even after you patch the FMC itself.
Verify your FMC update process. Many organisations defer FMC upgrades because they're operationally disruptive. This incident is a reminder that deferred upgrades on security infrastructure carry real risk. Establish a regular patching cadence for FMC and document it.
References
Questions about whether your environment is affected or how to approach the remediation? Contact us — we can help you assess exposure and plan the upgrade.