CVE-2026-20131 (GCVE-0-2026-20131)
Vulnerability from cvelistv5
Published
2026-03-04 17:17
Modified
2026-03-25 16:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.
This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.
Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cisco | Cisco Secure Firewall Management Center (FMC) |
Version: 7.0.0 Version: 7.0.0.1 Version: 7.0.1 Version: 7.1.0 Version: 6.4.0.13 Version: 7.0.1.1 Version: 6.4.0.14 Version: 7.1.0.1 Version: 7.0.2 Version: 6.4.0.15 Version: 7.2.0 Version: 7.0.2.1 Version: 7.0.3 Version: 7.1.0.2 Version: 7.2.0.1 Version: 7.0.4 Version: 7.2.1 Version: 7.0.5 Version: 6.4.0.16 Version: 7.3.0 Version: 7.2.2 Version: 7.3.1 Version: 7.2.3 Version: 7.1.0.3 Version: 7.2.3.1 Version: 7.2.4 Version: 7.0.6 Version: 7.2.4.1 Version: 7.2.5 Version: 7.3.1.1 Version: 7.4.0 Version: 6.4.0.17 Version: 7.0.6.1 Version: 7.2.5.1 Version: 7.4.1 Version: 7.2.6 Version: 7.4.1.1 Version: 7.0.6.2 Version: 6.4.0.18 Version: 7.2.7 Version: 7.2.5.2 Version: 7.3.1.2 Version: 7.2.8 Version: 7.6.0 Version: 7.4.2 Version: 7.2.8.1 Version: 7.0.6.3 Version: 7.4.2.1 Version: 7.2.9 Version: 7.0.7 Version: 7.7.0 Version: 7.4.2.2 Version: 7.2.10 Version: 7.6.1 Version: 7.4.2.3 Version: 7.0.8 Version: 7.6.2 Version: 7.7.10 Version: 7.2.10.1 Version: 7.0.8.1 Version: 7.6.2.1 Version: 7.2.10.2 Version: 7.7.10.1 Version: 7.4.2.4 Version: 7.4.3 Version: 7.7.11 Version: 7.6.4 Version: 10.0.0 Version: 7.4.4 Version: 7.4.5 |
CISA Known Exploited Vulnerability
Data from the CISA Known Exploited Vulnerabilities Catalog
Date added: 2026-03-19
Due date: 2026-03-22
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Used in ransomware: Known
Notes: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh ; https://nvd.nist.gov/vuln/detail/CVE-2026-20131
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20131",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-03-19",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20131"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T03:55:40.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20131"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-19T00:00:00.000Z",
"value": "CVE-2026-20131 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Cisco Secure Firewall Management Center (FMC)",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "7.0.0"
},
{
"status": "affected",
"version": "7.0.0.1"
},
{
"status": "affected",
"version": "7.0.1"
},
{
"status": "affected",
"version": "7.1.0"
},
{
"status": "affected",
"version": "6.4.0.13"
},
{
"status": "affected",
"version": "7.0.1.1"
},
{
"status": "affected",
"version": "6.4.0.14"
},
{
"status": "affected",
"version": "7.1.0.1"
},
{
"status": "affected",
"version": "7.0.2"
},
{
"status": "affected",
"version": "6.4.0.15"
},
{
"status": "affected",
"version": "7.2.0"
},
{
"status": "affected",
"version": "7.0.2.1"
},
{
"status": "affected",
"version": "7.0.3"
},
{
"status": "affected",
"version": "7.1.0.2"
},
{
"status": "affected",
"version": "7.2.0.1"
},
{
"status": "affected",
"version": "7.0.4"
},
{
"status": "affected",
"version": "7.2.1"
},
{
"status": "affected",
"version": "7.0.5"
},
{
"status": "affected",
"version": "6.4.0.16"
},
{
"status": "affected",
"version": "7.3.0"
},
{
"status": "affected",
"version": "7.2.2"
},
{
"status": "affected",
"version": "7.3.1"
},
{
"status": "affected",
"version": "7.2.3"
},
{
"status": "affected",
"version": "7.1.0.3"
},
{
"status": "affected",
"version": "7.2.3.1"
},
{
"status": "affected",
"version": "7.2.4"
},
{
"status": "affected",
"version": "7.0.6"
},
{
"status": "affected",
"version": "7.2.4.1"
},
{
"status": "affected",
"version": "7.2.5"
},
{
"status": "affected",
"version": "7.3.1.1"
},
{
"status": "affected",
"version": "7.4.0"
},
{
"status": "affected",
"version": "6.4.0.17"
},
{
"status": "affected",
"version": "7.0.6.1"
},
{
"status": "affected",
"version": "7.2.5.1"
},
{
"status": "affected",
"version": "7.4.1"
},
{
"status": "affected",
"version": "7.2.6"
},
{
"status": "affected",
"version": "7.4.1.1"
},
{
"status": "affected",
"version": "7.0.6.2"
},
{
"status": "affected",
"version": "6.4.0.18"
},
{
"status": "affected",
"version": "7.2.7"
},
{
"status": "affected",
"version": "7.2.5.2"
},
{
"status": "affected",
"version": "7.3.1.2"
},
{
"status": "affected",
"version": "7.2.8"
},
{
"status": "affected",
"version": "7.6.0"
},
{
"status": "affected",
"version": "7.4.2"
},
{
"status": "affected",
"version": "7.2.8.1"
},
{
"status": "affected",
"version": "7.0.6.3"
},
{
"status": "affected",
"version": "7.4.2.1"
},
{
"status": "affected",
"version": "7.2.9"
},
{
"status": "affected",
"version": "7.0.7"
},
{
"status": "affected",
"version": "7.7.0"
},
{
"status": "affected",
"version": "7.4.2.2"
},
{
"status": "affected",
"version": "7.2.10"
},
{
"status": "affected",
"version": "7.6.1"
},
{
"status": "affected",
"version": "7.4.2.3"
},
{
"status": "affected",
"version": "7.0.8"
},
{
"status": "affected",
"version": "7.6.2"
},
{
"status": "affected",
"version": "7.7.10"
},
{
"status": "affected",
"version": "7.2.10.1"
},
{
"status": "affected",
"version": "7.0.8.1"
},
{
"status": "affected",
"version": "7.6.2.1"
},
{
"status": "affected",
"version": "7.2.10.2"
},
{
"status": "affected",
"version": "7.7.10.1"
},
{
"status": "affected",
"version": "7.4.2.4"
},
{
"status": "affected",
"version": "7.4.3"
},
{
"status": "affected",
"version": "7.7.11"
},
{
"status": "affected",
"version": "7.6.4"
},
{
"status": "affected",
"version": "10.0.0"
},
{
"status": "affected",
"version": "7.4.4"
},
{
"status": "affected",
"version": "7.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root\u0026nbsp;on an affected device.\r\n\r\nThis vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.\r\nNote: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced."
}
],
"exploits": [
{
"lang": "en",
"value": "In March 2026, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "cvssV3_1"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T16:04:35.907Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "cisco-sa-fmc-rce-NKhnULJh",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh"
}
],
"source": {
"advisory": "cisco-sa-fmc-rce-NKhnULJh",
"defects": [
"CSCwt14636"
],
"discovery": "INTERNAL"
},
"title": "Cisco Secure Firewall Management Center Software Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2026-20131",
"datePublished": "2026-03-04T17:17:56.008Z",
"dateReserved": "2025-10-08T11:59:15.380Z",
"dateUpdated": "2026-03-25T16:04:35.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2026-20131",
"cwes": "[\"CWE-502\"]",
"dateAdded": "2026-03-19",
"dueDate": "2026-03-22",
"knownRansomwareCampaignUse": "Known",
"notes": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh ; https://nvd.nist.gov/vuln/detail/CVE-2026-20131",
"product": "Secure Firewall Management Center (FMC)",
"requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.",
"vendorProject": "Cisco",
"vulnerabilityName": "Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-20131\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-19T15:44:02.644612Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2026-03-19\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20131\"}}}], \"references\": [{\"url\": \"https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20131\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-05T14:06:12.803Z\"}, \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-03-19T00:00:00.000Z\", \"value\": \"CVE-2026-20131 added to CISA KEV\"}]}], \"cna\": {\"title\": \"Cisco Secure Firewall Management Center Software Remote Code Execution Vulnerability\", \"source\": {\"defects\": [\"CSCwt14636\"], \"advisory\": \"cisco-sa-fmc-rce-NKhnULJh\", \"discovery\": \"INTERNAL\"}, \"metrics\": [{\"format\": \"cvssV3_1\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Cisco\", \"product\": \"Cisco Secure Firewall Management Center (FMC)\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.0.0\"}, {\"status\": \"affected\", \"version\": \"7.0.0.1\"}, {\"status\": \"affected\", \"version\": \"7.0.1\"}, {\"status\": \"affected\", \"version\": \"7.1.0\"}, {\"status\": \"affected\", \"version\": \"6.4.0.13\"}, {\"status\": \"affected\", \"version\": \"7.0.1.1\"}, {\"status\": \"affected\", \"version\": \"6.4.0.14\"}, {\"status\": \"affected\", \"version\": \"7.1.0.1\"}, {\"status\": \"affected\", \"version\": \"7.0.2\"}, {\"status\": \"affected\", \"version\": \"6.4.0.15\"}, {\"status\": \"affected\", \"version\": \"7.2.0\"}, {\"status\": \"affected\", \"version\": \"7.0.2.1\"}, {\"status\": \"affected\", \"version\": \"7.0.3\"}, {\"status\": \"affected\", \"version\": \"7.1.0.2\"}, {\"status\": \"affected\", \"version\": \"7.2.0.1\"}, {\"status\": \"affected\", \"version\": \"7.0.4\"}, {\"status\": \"affected\", \"version\": \"7.2.1\"}, {\"status\": \"affected\", \"version\": \"7.0.5\"}, {\"status\": \"affected\", \"version\": \"6.4.0.16\"}, {\"status\": \"affected\", \"version\": \"7.3.0\"}, {\"status\": \"affected\", \"version\": \"7.2.2\"}, {\"status\": \"affected\", \"version\": \"7.3.1\"}, {\"status\": \"affected\", \"version\": \"7.2.3\"}, {\"status\": \"affected\", \"version\": \"7.1.0.3\"}, {\"status\": \"affected\", \"version\": \"7.2.3.1\"}, {\"status\": \"affected\", \"version\": \"7.2.4\"}, {\"status\": \"affected\", \"version\": \"7.0.6\"}, {\"status\": \"affected\", \"version\": \"7.2.4.1\"}, {\"status\": \"affected\", \"version\": \"7.2.5\"}, {\"status\": \"affected\", \"version\": \"7.3.1.1\"}, {\"status\": \"affected\", \"version\": \"7.4.0\"}, {\"status\": \"affected\", \"version\": \"6.4.0.17\"}, {\"status\": \"affected\", \"version\": \"7.0.6.1\"}, {\"status\": \"affected\", \"version\": \"7.2.5.1\"}, {\"status\": \"affected\", \"version\": \"7.4.1\"}, {\"status\": \"affected\", \"version\": \"7.2.6\"}, {\"status\": \"affected\", \"version\": \"7.4.1.1\"}, {\"status\": \"affected\", \"version\": \"7.0.6.2\"}, {\"status\": \"affected\", \"version\": \"6.4.0.18\"}, {\"status\": \"affected\", \"version\": \"7.2.7\"}, {\"status\": \"affected\", \"version\": \"7.2.5.2\"}, {\"status\": \"affected\", \"version\": \"7.3.1.2\"}, {\"status\": \"affected\", \"version\": \"7.2.8\"}, {\"status\": \"affected\", \"version\": \"7.6.0\"}, {\"status\": \"affected\", \"version\": \"7.4.2\"}, {\"status\": \"affected\", \"version\": \"7.2.8.1\"}, {\"status\": \"affected\", \"version\": \"7.0.6.3\"}, {\"status\": \"affected\", \"version\": \"7.4.2.1\"}, {\"status\": \"affected\", \"version\": \"7.2.9\"}, {\"status\": \"affected\", \"version\": \"7.0.7\"}, {\"status\": \"affected\", \"version\": \"7.7.0\"}, {\"status\": \"affected\", \"version\": \"7.4.2.2\"}, {\"status\": \"affected\", \"version\": \"7.2.10\"}, {\"status\": \"affected\", \"version\": \"7.6.1\"}, {\"status\": \"affected\", \"version\": \"7.4.2.3\"}, {\"status\": \"affected\", \"version\": \"7.0.8\"}, {\"status\": \"affected\", \"version\": \"7.6.2\"}, {\"status\": \"affected\", \"version\": \"7.7.10\"}, {\"status\": \"affected\", \"version\": \"7.2.10.1\"}, {\"status\": \"affected\", \"version\": \"7.0.8.1\"}, {\"status\": \"affected\", \"version\": \"7.6.2.1\"}, {\"status\": \"affected\", \"version\": \"7.2.10.2\"}, {\"status\": \"affected\", \"version\": \"7.7.10.1\"}, {\"status\": \"affected\", \"version\": \"7.4.2.4\"}, {\"status\": \"affected\", \"version\": \"7.4.3\"}, {\"status\": \"affected\", \"version\": \"7.7.11\"}, {\"status\": \"affected\", \"version\": \"7.6.4\"}, {\"status\": \"affected\", \"version\": \"10.0.0\"}, {\"status\": \"affected\", \"version\": \"7.4.4\"}, {\"status\": \"affected\", \"version\": \"7.4.5\"}], \"defaultStatus\": \"unknown\"}], \"exploits\": [{\"lang\": \"en\", \"value\": \"In March 2026, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.\"}], \"references\": [{\"url\": \"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh\", \"name\": \"cisco-sa-fmc-rce-NKhnULJh\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root\u0026nbsp;on an affected device.\\r\\n\\r\\nThis vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.\\r\\nNote: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"cwe\", \"cweId\": \"CWE-502\", \"description\": \"Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"shortName\": \"cisco\", \"dateUpdated\": \"2026-03-25T16:04:35.907Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-20131\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-25T16:04:35.907Z\", \"dateReserved\": \"2025-10-08T11:59:15.380Z\", \"assignerOrgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"datePublished\": \"2026-03-04T17:17:56.008Z\", \"assignerShortName\": \"cisco\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…