Cisco Secure Firewall Management Center 6.4.0.13-6.4.0.18, 7.0.0 - RCE via Java Deserialization
Title source: llmExploitation Summary
CVE-2026-20131 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 19, 2026, with confirmed use in ransomware campaigns. EIP tracks 7 public exploits from researchers including XiaomingX, adminlove520, 0xBlackash.
AI-analyzed exploit summary The repository contains obfuscated Python code using PyArmor, which is highly unusual for legitimate PoCs. The lack of readable exploit logic and the presence of obfuscation suggest malicious intent.
Description
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.
Exploits (7)
The repository contains obfuscated Python code using PyArmor, which is highly unusual for legitimate PoCs. The lack of readable exploit logic and the presence of obfuscation suggest malicious intent.
This repository provides a detailed technical writeup and implementation of a low-interaction honeypot designed to mimic a Cisco Secure Firewall Management Center (FMC) web surface. It captures unauthenticated Java serialization-style attack traffic by detecting specific magic bytes and extracting shell or URL strings using regular expressions and heuristics, without actually deserializing Java objects.
The repository contains a Python script that checks for the presence of CVE-2026-20131 in Cisco Secure Firewall Management Center (FMC) by probing known endpoints for Java deserialization responses. It does not include an exploit payload, only detection logic.
This repository contains a low-interaction honeypot designed to mimic a Cisco Secure Firewall Management Center (FMC) web surface and capture unauthenticated Java serialization-style attack traffic. It detects and logs deserialization probes without executing malicious payloads, making it a functional proof-of-concept for studying CVE-2026-20131.
This repository contains a functional exploit PoC for CVE-2026-20131, a critical Java deserialization vulnerability in Cisco Secure Firewall Management Center (FMC) Software. It includes a detection script (`check.py`) and a full exploit (`poc.py`) leveraging ysoserial for unauthenticated remote code execution as root.
The repository contains obfuscated Python code using PyArmor, which is highly suspicious and indicative of malicious intent. The lack of readable exploit logic and the use of obfuscation tools suggest deception.
The repository contains a detection script for CVE-2026-20131, which targets insecure Java deserialization in Cisco Secure Firewall Management Center (FMC). The script probes known endpoints with Java serialization magic bytes to identify potential vulnerability without executing an exploit.
References (3)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H