CISA warns of actively exploited Cisco firewall flaw tied to ransomware attacks
5 min. read 
Published on
Organizations using Cisco Secure Firewall Management Center should treat CVE-2026-20131 as an emergency. Cisco says the flaw can let an unauthenticated remote attacker execute arbitrary Java code as root through the web-based management interface, while CISA has added it to the Known Exploited Vulnerabilities catalog after confirmed in-the-wild abuse.
The risk goes beyond a routine patch cycle. Amazon threat intelligence said the Interlock ransomware operation exploited the bug as a zero-day, with activity traced back to January 26, 2026, which means attackers were using it weeks before Cisco publicly disclosed and patched it on March 4.
This vulnerability affects Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management. Cisco rates it Critical with a CVSS score of 10.0, and describes it as insecure deserialization of a user-supplied Java byte stream in the management interface.
If attackers reach a vulnerable management interface, they may run code with root privileges on the device. From there, they can tamper with firewall policy management, expand access inside the environment, and use that foothold to support follow-on intrusion activity, including ransomware deployment. Cisco also notes that the attack surface is lower if the FMC management interface is not exposed to the public internet.
What happened
Cisco published its advisory for CVE-2026-20131 on March 4 as part of a broader March 2026 firewall security release that covered 25 advisories and 48 vulnerabilities across Secure Firewall ASA, Secure FMC, and Secure FTD software. In that release, Cisco listed CVE-2026-20131 as a Critical remote code execution issue in Secure Firewall Management Center.
CISA later added the bug to its Known Exploited Vulnerabilities catalog, confirming active exploitation. The publicly visible catalog data tied to the CVE shows federal agencies were given a rapid remediation deadline and instructed to apply vendor mitigations or discontinue use if mitigations were unavailable.
Amazon then provided the clearest public attribution so far, saying Interlock ransomware operators exploited the flaw before disclosure. According to Amazon, its researchers observed activity linked to the vulnerability 36 days before Cisco published the patch.
Why this flaw matters
Attackers target centralized management systems because they offer broad control and visibility across security infrastructure. A successful compromise of FMC or SCC Firewall Management can hand an intruder a valuable operational position inside the network stack, not just access to a single endpoint.
That makes this case more serious than a standard edge-device vulnerability. The flaw sits in the management layer, and the confirmed ransomware connection raises the urgency for enterprises that rely on Cisco firewall administration tools for policy control and security operations.
Cisco CVE-2026-20131 at a glance
| Item | Details |
|---|---|
| CVE | CVE-2026-20131 |
| Affected products | Cisco Secure Firewall Management Center Software; Cisco Security Cloud Control Firewall Management |
| Severity | Critical |
| CVSS score | 10.0 |
| Vulnerability type | Deserialization of untrusted data / insecure deserialization |
| Attack requirements | Unauthenticated, remote |
| Potential impact | Arbitrary Java code execution as root |
| Public exploitation | Yes |
| Ransomware link | Amazon says Interlock exploited it as a zero-day |
| Vendor fix available | Yes, Cisco released software updates on March 4, 2026 |
What defenders should do now
Security teams should move quickly because the flaw is already under active exploitation. Cisco has released fixes, and CISA’s guidance points organizations to vendor mitigations or product discontinuation if they cannot secure the affected deployment.
Priority steps include:
- Patch affected FMC and SCC Firewall Management deployments immediately.
- Restrict access to the web-based management interface. Do not leave it publicly reachable unless absolutely necessary.
- Review logs and exposure history for signs of unexpected HTTP requests or suspicious management-plane activity dating back to late January 2026. Amazon said exploitation began on January 26.
- Treat internet-exposed management consoles as high-priority incident response targets until you confirm patch status and integrity. This is an evidence-based inference from the confirmed attack path and root-level impact described by Cisco and Amazon.
Key timeline
- January 26, 2026: Amazon says threat activity related to CVE-2026-20131 began.
- March 4, 2026: Cisco disclosed CVE-2026-20131 and released fixes.
- March 18, 2026: Public reporting tied exploitation to Interlock ransomware activity.
- March 19, 2026: CISA added the bug to the KEV catalog, according to the catalog data reflected in NVD.
FAQ
It is a Critical remote code execution vulnerability in Cisco Secure Firewall Management Center and Cisco Security Cloud Control Firewall Management. Cisco says the bug stems from insecure deserialization in the web-based management interface.
Yes. CISA added it to the Known Exploited Vulnerabilities catalog, and Amazon said the Interlock ransomware group exploited it as a zero-day.
Cisco says an unauthenticated remote attacker can exploit the flaw by sending a crafted serialized Java object to the affected management interface.
A successful attack can let the attacker execute arbitrary Java code as root on the affected device. That level of access can lead to full compromise of the management system.
Apply Cisco’s available updates, reduce exposure to the management interface, and investigate whether vulnerable systems were reachable or probed before patching.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages