CVE-2026-20131

CRITICAL KEV RANSOMWARE LAB

Cisco FMC - Deserialization

Title source: llm

Description

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.

Exploits (5)

github TROJAN 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-20131

View Code ZIP pw:eip

nomisec WORKING POC

by Hassan-Pouladi · poc

https://github.com/Hassan-Pouladi/Cisco-FMC-honeypot

View Code ZIP pw:eip

nomisec WORKING POC

by sak110 · poc

https://github.com/sak110/CVE-2026-20131

View Code ZIP pw:eip

nomisec TROJAN

by p3Nt3st3r-sTAr · poc

https://github.com/p3Nt3st3r-sTAr/CVE-2026-20131-POC

View Code ZIP pw:eip

nomisec SCANNER

by Sushilsin · poc

https://github.com/Sushilsin/CVE-2026-20131

View Code ZIP pw:eip

References (3)

[Vendor Advisory] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh

[Various Sources] https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20131

Scores

CVSS v3 10.0

EPSS 0.0107

EPSS Percentile 77.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull caddy:2-alpine

https://github.com/Sushilsin/CVE-2026-20131

https://github.com/p3Nt3st3r-sTAr/CVE-2026-20131-POC

https://github.com/XiaomingX/data-cve-poc-py-v1

+2 more repos

View in Library

Details

CISA KEV 2026-03-19

VulnCheck KEV 2026-03-18

ENISA EUVD EUVD-2026-9444

Ransomware Use Confirmed

CWE

CWE-502

Status published

Products (50)

Cisco/Cisco Secure Firewall Management Center (FMC) 10.0.0

Cisco/Cisco Secure Firewall Management Center (FMC) 6.4.0.13

Cisco/Cisco Secure Firewall Management Center (FMC) 6.4.0.14

Cisco/Cisco Secure Firewall Management Center (FMC) 6.4.0.15

Cisco/Cisco Secure Firewall Management Center (FMC) 6.4.0.16

Cisco/Cisco Secure Firewall Management Center (FMC) 6.4.0.17

Cisco/Cisco Secure Firewall Management Center (FMC) 6.4.0.18

Cisco/Cisco Secure Firewall Management Center (FMC) 7.0.0

Cisco/Cisco Secure Firewall Management Center (FMC) 7.0.0.1

Cisco/Cisco Secure Firewall Management Center (FMC) 7.0.1

... and 40 more

Published Mar 04, 2026

KEV Added Mar 19, 2026

Tracked Since Mar 05, 2026