Cisco Secure Firewall flaw lets attackers run code as root with no login
4 min. read 
Published on
Cisco has disclosed a critical vulnerability in Secure Firewall Management Center that can let an unauthenticated remote attacker execute arbitrary Java code as root on an affected device. The issue is tracked as CVE-2026-20131, and Cisco rates it at the maximum CVSS 3.1 score of 10.0.
The flaw sits in the web-based management interface of Cisco Secure Firewall Management Center, also known as FMC. Cisco says the bug stems from insecure deserialization of a user-supplied Java byte stream, which means a specially crafted request can trigger code execution on the target system.
This matters because FMC is the control plane for firewall policy and visibility. If an attacker gains root access there, they can change security settings, weaken defenses, and use that foothold to move deeper into the network. Cisco also notes that limiting internet access to the FMC management interface reduces exposure, but it does not remove the need to patch.
Cisco’s advisory has become more urgent because the company updated the record to reflect attempted exploitation in the wild during March 2026. The issue also appears in CISA’s Known Exploited Vulnerabilities catalog, which means defenders should treat this as an active risk rather than a theoretical one.
How the vulnerability works
Cisco says an attacker can send a crafted serialized Java object to the vulnerable management interface. If the attempt succeeds, the attacker can run arbitrary code on the device and elevate privileges to root.
The bug does not require authentication. It also does not require user interaction. Those two facts push the risk level very high, especially for organizations that expose management interfaces to the public internet.
Amazon threat intelligence said Interlock ransomware operators were exploiting CVE-2026-20131 before public disclosure. AWS reported observed exploitation beginning on January 26, 2026, or 36 days before Cisco published its advisory on March 4, 2026.
Why this issue is so serious
A root-level compromise of a firewall management platform can affect far more than one appliance. Attackers who take over FMC may gain the ability to:
- change firewall rules
- disable or weaken protections
- alter monitoring and logging
- create persistent backdoors
- use the management server as a pivot point into the rest of the network
Cisco’s CVSS vector shows why the flaw is critical: network reachable, low complexity, no privileges required, and high impact on confidentiality, integrity, and availability.
Affected and unaffected products
Cisco says the vulnerability affects Cisco Secure Firewall Management Center software and Cisco Security Cloud Control Firewall Management. Cisco also says Secure Firewall ASA and Secure Firewall Threat Defense are not affected by this specific issue.
| Product | Status | What admins should do |
|---|---|---|
| Cisco Secure Firewall Management Center | Affected | Patch immediately |
| Cisco Security Cloud Control Firewall Management | Affected | Check Cisco guidance and update status |
| SaaS-delivered SCC Firewall Management | Fixed by Cisco | No customer patching needed |
| Cisco Secure Firewall ASA | Not affected | No action for this CVE |
| Cisco Secure Firewall Threat Defense | Not affected | No action for this CVE |
What Cisco says admins should do now
Cisco says there are no workarounds that fully address the vulnerability for on-premises deployments. Organizations need to apply the official software updates without delay.
Cisco also advises customers to keep the FMC management interface off the public internet. That step reduces the attack surface, but it should only support patching, not replace it.
Practical response steps:
- identify every FMC deployment in your environment
- confirm whether the management interface is internet-accessible
- use Cisco Software Checker to verify the exact affected version
- install Cisco’s fixed release as soon as possible
- review logs and configuration changes for suspicious activity
- hunt for signs of unauthorized access if the interface was exposed
Timeline at a glance
| Date | Event |
|---|---|
| January 26, 2026 | AWS says exploitation began in the wild |
| March 4, 2026 | Cisco publicly disclosed CVE-2026-20131 |
| March 19, 2026 | CISA added the issue to its Known Exploited Vulnerabilities catalog |
| March 2026 | Cisco confirmed attempted exploitation in the wild |
FAQ
It is a critical insecure deserialization flaw in the web-based management interface of Cisco Secure Firewall Management Center. It can let an unauthenticated remote attacker execute arbitrary Java code as root.
Yes. Cisco says it is aware of attempted exploitation in the wild, and AWS reported an Interlock ransomware campaign exploiting the flaw before public disclosure.
No. Cisco says Secure Firewall ASA and Secure Firewall Threat Defense are not vulnerable to this specific issue.
Cisco says on-premises deployments do not have a workaround that fixes the issue. Restricting access to the management interface helps reduce exposure, but patching remains necessary.
Find every exposed FMC instance, remove public internet access where possible, verify versions with Cisco Software Checker, and apply the vendor’s update immediately.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages