Vulnerability
Advisory/Mitigation
Exploitation Wave
Security Patch Release
Cisco FMC zero-day exploitation and KEV response
Updated 23.03.2026 12:30
Case score 69
Score breakdown
- Total
- 69
- Lead score
- 66
- Support bonus
- +3 / 20
- Scoring support
- 1
- Context members
- 2
Top contributors
- Vulnerability Base event: maximum-severity FMC flaw with remote root-level compromise risk. base
- Advisory Mitigation Adds the CISA KEV listing and the federal remediation deadline for the same CVE. context
- Security Patch Release Adds Cisco's March 4 patch release and confirms SCC Firewall Management is also affected. context
- Exploitation Wave Adds active exploitation reporting tied to Interlock and a zero-day abuse timeline that began before patching. support
Case score 69
Members 4
Latest activity 23.03.2026 12:30
Active exploitation
KEV: CISA KEV
Patch/mitigation varies by member
CVSS: 10.0 Critical
Active exploitation
KEV: CISA KEV
Patch/mitigation varies by member
CVSS: 10.0 Critical
Members 4
First seen 04.03.2026 21:12
Last seen 23.03.2026 12:30
Updated 23.03.2026 12:30
Overview
**Cisco Secure Firewall Management Center (FMC)** is under a zero-day exploitation wave centered on **CVE-2026-20131**, a deserialization flaw in the web-based management interface that can let an unauthenticated attacker execute Java code as root. Reporting tied the abuse to **Interlock** activity beginning on **January 26, 2026**, before Cisco's March 4 patch and before CISA moved the flaw into the **KEV** catalog.
Cisco has already released fixes, and CISA ordered federal civilian agencies to remediate **CVE-2026-20131** by **March 22** or stop using FMC if mitigations are unavailable. The available evidence points to real exploitation pressure on a management-plane product, but it does not quantify how many deployments were hit or fully map the exposure footprint.
Attackers are exploiting **CVE-2026-20131** in **Cisco Secure Firewall Management Center (FMC)** to reach root-level code execution through the web-based management interface.
Cisco said the flaw is a deserialization issue in user-supplied Java data, and it also affects **Cisco Security Cloud Control (SCC) Firewall Management**.
Amazon threat intelligence said the abuse began on **January 26, 2026**, giving the attacker a head start before disclosure and patching.
Cisco released security updates on **March 4**, and the patch bulletin initially said there was no evidence of exploitation or public proof-of-concept code.
Cisco later updated the bulletin after abuse was tied to **Interlock** activity against enterprise firewalls.
CISA added **CVE-2026-20131** to the **KEV catalog** on **March 19** and ordered federal civilian agencies to remediate it by **March 22** or stop using the product if mitigations are unavailable.
The exposure matters because FMC is the management plane for firewall policy and related controls, so successful exploitation can undermine perimeter defenses.
Available evidence does not quantify how many FMC deployments were hit, and it does not show whether all affected systems were exposed to the internet.