Cisco disclosed CVE-2026-20131 on March 4, 2026, an issue in Secure Firewall Management Center (FMC) that scores the full CVSS 10.0. The problem sits in the web-based management interface, and the summary is as bad as it sounds. A remote attacker with no credentials can run arbitrary Java code on the device and end up with root privileges.
What actually breaks
The root cause is insecure deserialization of Java objects. The FMC web interface accepts serialized objects and rebuilds them without checking what it received. Send it a crafted object and the process handling it runs whatever the attacker placed inside. No username, no password, just network access to the management interface. From there, code execution leads to root on the appliance.
It helps to know what FMC is before judging the impact. It’s the central console many organizations use to manage all their Cisco firewalls. Whoever controls FMC can change filtering rules, silence alerts, or use the console itself as a jumping-off point to move deeper into the network. Compromising FMC isn’t compromising some ordinary server. It hands over the control panel of the perimeter defense.
Who is affected, and since when
The advisory covers Cisco Secure Firewall Management Center Software from version 6.4.0.13 through 7.4.1.1. What turned this into more than a routine patch was the timeline. Amazon’s threat intelligence team found that the Interlock ransomware group had been exploiting the flaw as a 0-day since January 26, 2026, which is 36 days before public disclosure. For over a month there were real attacks against enterprise firewalls using a hole nobody had announced yet, with education among the sectors hit.
The pressure rose afterward. On March 18 Cisco updated its bulletin to confirm active exploitation in the wild, and on March 19 CISA added CVE-2026-20131 to its Known Exploited Vulnerabilities (KEV) catalog, which puts U.S. federal agencies on a fixed deadline to patch.
What to do
Apply Cisco’s update for your FMC version without waiting. It’s the only real fix; there’s no halfway configuration that closes off the deserialization. If for some reason you can’t patch right away, restrict access to the web management interface to trusted administration networks and keep it off the public internet. That shrinks the attack surface, but it doesn’t replace the patch.
Since exploitation happened before disclosure, review your logs for suspicious activity: odd requests to the management interface, rule changes nobody remembers making, new accounts or processes. If you find signs of compromise, treat the device as taken and follow your incident response plan.