CISA has added CVE‑2026‑20131 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC) firewall‑management software. It is a deserialization of untrusted data vulnerability that could let an unauthenticated, remote attacker execute arbitrary Java code as root on the device.
The vulnerability is a remote code execution (RCE) flaw in the web‑based management interface of FMC and SCC. It occurs when the product deserialises attacker‑controlled data, leading to execution of malicious Java code with full system privileges. The CVSS v3.1 base score is 10.0, classifying it as critical. Cisco has released a patch that addresses the issue, and the advisory provides detailed mitigation steps. Exploitation does not require authentication and can be performed over the network.
CISA’s inclusion of this CVE confirms that active exploitation is occurring in the wild. The vulnerability has been observed in at least one ransomware campaign, meaning threat actors are leveraging it to gain footholds before deploying encrypt‑or‑delete payloads. Agencies are required to remediate by 22 March 2026. The deadline underscores the urgency for organisations to act before the window of exploitation widens further.
CISA’s required action is to “apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” The directive applies directly to Federal Civilian Executive Branch (FCEB) agencies, but any organisation deploying Cisco FMC or SCC should treat the advisory as a priority. Apply Cisco’s patch, implement the recommended configuration changes, and verify that mitigations are effective.
For full technical details, see the NVD entry for CVE‑2026‑20131 and the CISA KEV catalogue.