Vulnerability Advisory/Mitigation Exploitation Wave Security Patch Release

Cisco FMC zero-day exploitation and KEV response

Updated 23.03.2026 12:30

Case score 69

Case score 69 Members 4 Latest activity 23.03.2026 12:30

Active exploitation KEV: CISA KEV Patch status varies by member CVSS: 10.0 Critical

Members 4 First seen 04.03.2026 21:12 Last seen 23.03.2026 12:30 Updated 23.03.2026 12:30

Overview

**Cisco Secure Firewall Management Center (FMC)** is under a zero-day exploitation wave centered on **CVE-2026-20131**, a deserialization flaw in the web-based management interface that can let an unauthenticated attacker execute Java code as root. Reporting tied the abuse to **Interlock** activity beginning on **January 26, 2026**, before Cisco's March 4 patch and before CISA moved the flaw into the **KEV** catalog. Cisco has already released fixes, and CISA ordered federal civilian agencies to remediate **CVE-2026-20131** by **March 22** or stop using FMC if mitigations are unavailable. The available evidence points to real exploitation pressure on a management-plane product, but it does not quantify how many deployments were hit or fully map the exposure footprint.

Key facts

**CVE-2026-20131** in **Cisco Secure Firewall Management Center (FMC)** is being exploited through the web-based management interface to reach root-level code execution.
The affected surface includes **Cisco Secure Firewall Management Center (FMC)** and **Cisco Security Cloud Control (SCC) Firewall Management**.
Amazon threat intelligence said the abuse began on **January 26, 2026**, before public disclosure and patching.
**Cisco** released security updates on **March 4**, and the bulletin was later updated after abuse was tied to **Interlock** activity.
**CISA** added **CVE-2026-20131** to the **KEV catalog** on **March 19** and ordered federal civilian agencies to remediate it by **March 22** or stop using the product if mitigations are unavailable.
Available evidence does not quantify how many FMC deployments were hit, and it does not show whether all affected systems were exposed to the internet.

Signals

8 derived

Exploitation

CVSS 10.0 Critical Exploitation Active exploitation

CVEs/products

CVE

Victims/regions

Victim region United States

Remediation

Remediation Urgency High KEV CISA KEV

Threat context

Threat context Interlock

Malware context

4 families · 5 tools

Tools

Certify Volatility ClickFix ConnectWise ScreenConnect Volatility Framework

Member happenings

4 related

Vulnerability Cisco Secure Firewall Management Center (FMC) authentication bypass and RCE flaws (multiple vulnerabilities)

Updated 04.03.2026 21:12 Lead Contribution 66

Exploitation No Known Exploitation Exploit No Known Public Exploit CVSS 10.0 Critical Patch Patch Available

**Cisco Secure Firewall Management Center (FMC)** has two **maximum-severity** flaws, **CVE-2026-20079** and **CVE-2026-20131**, that can let **unauthenticated attackers** take over **unpatched devices**. One flaw can yield **root access** through crafted **HTTP requests**, and the other can execute **arbitrary Java code as root** via a crafted serialized Java object sent to the **web-based management interface**. Cisco released **security updates** on **March 4**, and the impact matters because FMC is the **administrative nerve center** for firewall policy and protection controls. **CISA** later added **CVE-2026-20131** to the **KEV catalog** and ordered **federal civilian agencies** to patch it quickly after reports of **active exploitation** and use in **ransomware campaigns**.

View happening

Exploitation Wave Interlock Cisco Secure Firewall Management Center zero-day exploitation wave

Updated 18.03.2026 18:53 Scoring Support Contribution 2

Exploitation Active Exploitation CVSS 10.0 Critical Patch Patch Available

A **zero-day exploitation wave** tied to **Interlock** has been hitting **Cisco Secure Firewall Management Center (FMC)**, putting **enterprise firewalls** at risk before patching. Cisco's **CVE-2026-20131** fix on **March 4** addressed a flaw that could let unauthenticated attackers run arbitrary Java code as root on unpatched devices. Amazon said the abuse began on **January 26, 2026**, giving attackers a head start before public disclosure.

View happening

Advisory/Mitigation CISA urgent mitigation order for Cisco FMC CVE-2026-20131

Updated 23.03.2026 12:30 Context

Exploitation Active Exploitation CVSS 10.0 Critical Urgency High Patch Patch Available

**CISA** ordered **federal civilian agencies** to patch **CVE-2026-20131** in **Cisco Secure Firewall Management Center (FMC)** within **three days** or discontinue use if mitigations are unavailable. The directive responds to an **actively exploited** **critical RCE** that can let an unauthenticated attacker run code as **root** on affected devices. CISA placed the vulnerability in its **KEV catalog** on **Thursday 19 March**, signaling urgent exposure across government deployments.

View happening

Security Patch Release Cisco Secure Firewall Management Center patch release (CVE-2026-20079, CVE-2026-20131)

Updated 04.03.2026 21:12 Context

Exploitation No Known Exploitation CVSS 10.0 Critical Urgency High Patch Patch Available

**Cisco Secure Firewall Management Center (FMC)** patch release for **CVE-2026-20131** and **CVE-2026-20079** addressed **CVSS 10** flaws that could let an **unauthenticated remote attacker** gain **root** or execute arbitrary code on affected devices. Cisco patched the issues on **March 4**, and later reporting said **Interlock ransomware** had been exploiting **CVE-2026-20131** as a **zero-day** for months, prompting **CISA** to order federal civilian agencies to patch by **March 22**.

View happening