Zero-Day Security Alert — March 20, 2026: Cisco Secure Firewall Management Center RCE Actively Exploited
- Jacob Hughes
- Mar 20
- 2 min read
Daily Security Briefing
March 20, 2026
CVE-2026-20131 | CVSS 10.0 | CRITICAL Severity | Actively Exploited (Known Ransomware Use)
Affected Product
Cisco Secure Firewall Management Center (FMC) versions 6.4.0.13 through 7.7.11 and version 10.0.0. Over 70 affected version branches spanning multiple major releases. Also affects Cisco Security Cloud Control (SCC) Firewall Management.
Description
An insecure deserialization vulnerability (CWE-502) exists in the web-based management interface of Cisco Secure Firewall Management Center. An unauthenticated, remote attacker can send a crafted serialized Java object to the management interface to execute arbitrary Java code with root privileges on the affected device. This vulnerability carries the maximum CVSS score of 10.0 due to the combination of no authentication required, low attack complexity, network-based attack vector, and complete compromise of confidentiality, integrity, and availability with scope change.
Attack Vector
Network-based with low complexity. No privileges or user interaction required. The attacker sends a malicious serialized Java object to the FMC web management interface. If the FMC management interface is not exposed to the public internet, the attack surface is reduced but not eliminated -- lateral movement from an internal position remains viable. This vulnerability is being actively exploited in the wild, with confirmed association to Interlock ransomware campaigns targeting enterprise firewall infrastructure.
Remediation
Apply mitigations per Cisco Security Advisory cisco-sa-fmc-rce-NKhnULJh immediately. Ensure FMC management interfaces are not exposed to the public internet. Restrict management interface access to trusted administrative networks only. Monitor for indicators of compromise associated with Interlock ransomware. Follow applicable BOD 22-01 guidance for cloud services, or discontinue use of affected versions if patching is not immediately possible.
CISA Remediation Due Date: March 22, 2026
This report is generated automatically from NVD and CISA KEV data.
Comments