THE US Cybersecurity and Infrastructure Security Agency (CISA) has told all federal civilian agencies to patch a critical remote code execution vulnerability, CVE-2026-20131, in Cisco Secure Firewall Management Center (FMC). With a maximum CVSS score of 10, it could “allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device,” according to the vendor.
It was patched by Cisco on 4 March after reports the Interlock ransomware group had been exploiting it as a zero day for several months. CISA added the CVE to its KEV catalog on Thursday 19 March, giving agencies just three days to patch it or discontinue use of the product if mitigations are unavailable.
The vulnerability is due to insecure deserialization of a user-supplied Java byte stream; an attacker could exploit it by sending a crafted serialized Java object to the web-based management interface of an affected device, enabling arbitrary code execution and privilege elevation to root.