ACCORDING to CISA, on March 19, 2026, one new vulnerability has been added to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The entry is CVE-2026-20131, named Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability. This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. Although BOD 22-01 applies to Federal Civilian Executive Branch agencies, CISA urges all organisations to prioritise timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice.