INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Cisco FMC Vulnerability Exploit Found in Max-Severity Flaw
| 2026-03-20 15:09 CRITICAL HIGHExecutive Summary AI-generated
The threat actor behind the Interlock ransomware has been exploiting a zero-day vulnerability in Cisco's Secure Firewall Management Center (FMC) software, known as CVE-2026-20131. The vendor had identified this flaw months prior to its publication and added it to their Known Exploited Vulnerabilities catalog on March 20th. However, the threat actor was able to exploit it before a patch could be released by Sunday, March 22nd. This has put federal agencies under pressure to apply security updates or stop using the product as soon as possible. The vendor's advisory warns of an unauthenticated remote attacker who can execute arbitrary Java code on affected devices via the vulnerable web-based management interface.
Technical Mitigations AI-generated
* Implement a secure deserialization mechanism to prevent insecure deserialization of user-supplied Java byte streams, which can be exploited by sending crafted serialized Java objects.
* Regularly review and update software dependencies to ensure that all affected systems have the latest patches and updates for Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management.
* Monitor system logs and network traffic for signs of unauthorized access or malicious activity, and take prompt action if any suspicious behavior is detected.
* Consider implementing a web application firewall (WAF) to detect and block potential attacks on the Cisco Secure Firewall Management Center (FMC) Software interface.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20131CVE-2026-20131
CVE-2026-20079CVE-2026-20079
Target & Sectors
Global Scope
healthhealth
technologytechnology
defensedefense
Incident Timeline
late 2024
Threat actors used a Cisco interconnect flaw to target Kettering Health.
Click on any entity below to view its context and source!
industry
Health
Interlock ransomware has claimed several high-profile victims since its launch in late 2024, including
DaVita
,
Kettering Health
, the
Texas Tech University System
, and the city of
Saint Paul
, Minnesota.
tactic
Ransomware
Interlock ransomware has claimed several high-profile victims since its launch in late 2024, including
DaVita
,
Kettering Health
, the
Texas Tech University System
, and the city of
Saint Paul
, Minnesota.
organisation
Kettering Health
Interlock ransomware has claimed several high-profile victims since its launch in late 2024, including
DaVita
,
Kettering Health
, the
Texas Tech University System
, and the city of
Saint Paul
, Minnesota.
organisation
Texas Tech University System
Interlock ransomware has claimed several high-profile victims since its launch in late 2024, including
DaVita
,
Kettering Health
, the
Texas Tech University System
, and the city of
Saint Paul
, Minnesota.
September 2024
The Interlock ransomware group threatened to disrupt the operations of DaVita and Kettering Health unless a critical Cisco vulnerability was patched by Sunday.
Click on any entity below to view its context and source!
industry
Health
Interlock ransomware group has been active since September 2024, it has targeted multiple organizations, including
DaVita
, Kettering Health, and
Texas Tech University
.
tactic
Ransomware
Interlock ransomware group has been active since September 2024, it has targeted multiple organizations, including
DaVita
, Kettering Health, and
Texas Tech University
.
organisation
Kettering Health
Interlock ransomware group has been active since September 2024, it has targeted multiple organizations, including
DaVita
, Kettering Health, and
Texas Tech University
.
organisation
Texas Tech University
Interlock ransomware group has been active since September 2024, it has targeted multiple organizations, including
DaVita
, Kettering Health, and
Texas Tech University
.
late January 2026
Threat actors used a recently disclosed Cisco vulnerability to target Federal Civilian Executive Branch agencies.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20131
Given the severity of CVE-2026-20131 and its active exploitation status since late January 2026, CISA gave Federal Civilian Executive Branch (FCEB) agencies only until this Sunday to apply the security updates or stop using the product.
attribution
FCEB
Given the severity of CVE-2026-20131 and its active exploitation status since late January 2026, CISA gave Federal Civilian Executive Branch (FCEB) agencies only until this Sunday to apply the security updates or stop using the product.
attribution
CISA
Given the severity of CVE-2026-20131 and its active exploitation status since late January 2026, CISA gave Federal Civilian Executive Branch (FCEB) agencies only until this Sunday to apply the security updates or stop using the product.
attribution
Federal Civilian Executive Branch
Given the severity of CVE-2026-20131 and its active exploitation status since late January 2026, CISA gave Federal Civilian Executive Branch (FCEB) agencies only until this Sunday to apply the security updates or stop using the product.
January 2026
CISA ordered the federal government to patch a max-severity Cisco flaw by Sunday.
Click on any entity below to view its context and source!
organisation
The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
January 26, 2026
Threat actors exploited the CVE-2026-20131 flaw 36 days before its public disclosure, targeting Amazon researchers starting on January 26, 2026.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20131
Amazon researchers
observed
the Interlock group exploiting the
CVE-2026-20131
flaw 36 days before disclosure, starting on January 26, 2026.
organisation
Amazon
Amazon researchers
observed
the Interlock group exploiting the
CVE-2026-20131
flaw 36 days before disclosure, starting on January 26, 2026.
organisation
Interlock
Amazon researchers
observed
the Interlock group exploiting the
CVE-2026-20131
flaw 36 days before disclosure, starting on January 26, 2026.
2026-02-02
CISA ordered the patching of a max-severity Cisco flaw in Catalyst SD-WAN by Sunday.
Click on any entity below to view its context and source!
organisation
Catalyst SD-WAN
Last month, it also
patched a maximum-severity Catalyst SD-WAN authentication bypass flaw
that was abused as a zero-day, allowing remote attackers to compromise controllers and add malicious rogue peers to targeted networks.
March 4
Threat actors used a Cisco vulnerability to target affected systems.
2026-03-04
Threat actors used Cisco's patching software to target Defense organizations with max-severity vulnerabilities.
Click on any entity below to view its context and source!
industry
Defense
Today, Cisco has also
patched dozens of other security vulnerabilities
, including 15 high-severity security flaws in Secure FMC, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense software.
general_metric
15 severity security flaws
Today, Cisco has also
patched dozens of other security vulnerabilities
, including 15 high-severity security flaws in Secure FMC, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense software.
March 18
The US Cybersecurity and Infrastructure Security Agency (CISA) ordered the federal government to patch a critical vulnerability in Cisco systems by Sunday.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20131
On March 18, the vendor updated its bulletin to warn of active exploitation of CVE-2026-20131 in the wild.
2026-03-20
The threat actors used the Interlock ransomware group to exploit a critical zero-day vulnerability in Cisco Secure FMC's web interface.
Click on any entity below to view its context and source!
infrastructure
10.0
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
a flaw in Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management, tracked as
CVE-2026-20131
(CVSS score of 10.0), to its
Known Exploited Vulnerabilities (KEV) catalog
.
organisation
Amazon
Amazon stated that the ransomware threat actor exploited CVE-2026-20131 more than a month before the vendor published the patch.
organisation
CVE-2026
Amazon stated that the ransomware threat actor exploited CVE-2026-20131 more than a month before the vendor published the patch.
A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.”
CVE-2026-20131 also impacts Cisco Security Cloud Control (SCC) Firewall Management.
While they both affect Cisco Secure FMC Software, CVE-2026-20131 also affects Cisco Security Cloud Control (SCC) Firewall Management, a cloud-based security policy manager that simplifies policy across Cisco firewalls and other devices.
organisation
Cisco Security Cloud Control (SCC
A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.”
CVE-2026-20131 also impacts Cisco Security Cloud Control (SCC) Firewall Management.
While they both affect Cisco Secure FMC Software, CVE-2026-20131 also affects Cisco Security Cloud Control (SCC) Firewall Management, a cloud-based security policy manager that simplifies policy across Cisco firewalls and other devices.
organisation
Cisco Secure FMC
While they both affect Cisco Secure FMC Software, CVE-2026-20131 also affects Cisco Security Cloud Control (SCC) Firewall Management, a cloud-based security policy manager that simplifies policy across Cisco firewalls and other devices.
One of the vulnerabilities in Cisco Secure FMC Software — CVE-2026-20079 — allows attackers to bypass authentication and execute script files on an affected device to obtain root access to the operating system.
organisation
Cisco Secure Firewall Management Center
The vulnerabilities —
CVE-2026-20079
and
CVE-2026-20131
— affect the web-based interface of Cisco Secure Firewall Management Center (FMC) Software, regardless of device configuration, the vendor said.
“A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.”
reads the advisory
.
“A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device,” Cisco says in the
advisory
.
Cisco Secure Firewall Management Center (FMC) is a centralized management platform for Cisco firewalls.
organisation
Cisco Secure FMC’s
The vulnerability is a remote code execution flaw that resides in Cisco Secure FMC’s web interface and allows unauthenticated remote attackers to exploit insecure Java deserialization and execute arbitrary code as root by sending a crafted serialized object.
The flaw resides in Cisco Secure FMC’s web interface and lets unauthenticated remote attackers bypass authentication and send crafted HTTP requests to execute scripts, potentially gaining root access to the underlying operating system.
organisation
The Cisco Secure Firewall Management Center
The Cisco Secure Firewall Management Center (FMC) is a centralized administration system for critical Cisco network security appliances, such as firewalls, application control, intrusion prevention, URL filtering, and malware protection.
organisation
ClickFix
The threat actor is also using the ClickFix technique for initial access, as well as custom remote access trojans and malware strains like
NodeSnake and Slopoly
.
organisation
NodeSnake
The threat actor is also using the ClickFix technique for initial access, as well as custom remote access trojans and malware strains like
NodeSnake and Slopoly
.
organisation
Secure FMC
Cisco fixes maximum-severity Secure FMC bugs threatening firewall security.
Cisco warns of max severity Secure FMC flaws giving root access.
organisation
Cisco
Cisco fixes maximum-severity Secure FMC bugs threatening firewall security
Cisco patched two critical Secure FMC vulnerabilities that could let attackers gain root access to managed firewalls.
“This vulnerability is due to an improper system process that is created at boot time,” Cisco said in a
security advisory
.
organisation
Secure Firewall Management Center
Cisco addressed two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) that could allow attackers to gain root access.
Cisco has released security updates to patch two maximum-severity vulnerabilities in its Secure Firewall Management Center (FMC) software.
organisation
SSH
It lets administrators configure, monitor, and control multiple firewalls from a single web or SSH interface.
Secure FMC is a web or SSH-based interface for admins to manage Cisco firewalls and configure application control, intrusion prevention, URL filtering, and advanced malware protection.
organisation
FMC
Through FMC, teams can manage policies for intrusion prevention (IPS), application control, URL filtering, advanced malware protection, logging, reporting, and overall network security posture across their environment.
organisation
SecurityAffairs
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Secure FMC)
organisation
Product Security Incident Response Team
At the moment, the company's Product Security Incident Response Team (PSIRT) has no evidence that the two security flaws are exploited in attacks or that proof-of-concept (PoC) exploit code has been published online.
organisation
PoC
At the moment, the company's Product Security Incident Response Team (PSIRT) has no evidence that the two security flaws are exploited in attacks or that proof-of-concept (PoC) exploit code has been published online.
organisation
Unified Communications
More recently, in January, it released patches
for a maximum-severity Cisco AsyncOS zero-day
that has been exploited in attacks against secure email appliances since November and addressed a
critical Unified Communications RCE
that was also used in zero-day attacks.
organisation
CyberScoop
“At the time of publication, Cisco PSIRT (public security incident response team) is not aware of any malicious use of these vulnerabilities,” a company spokesperson told CyberScoop.
March 22, 2026
Threat actors are expected to exploit a max-severity Cisco vulnerability by Sunday.
March 22
The US Department of Homeland Security (DHS) ordered federal agencies to patch the maximum-severity vulnerability CVE-2026-20131 in Cisco Secure Firewall Management Center by Sunday, March 22.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20131
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity vulnerability, CVE-2026-20131, in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22.
attribution
Cisco Secure Firewall Management Center
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity vulnerability, CVE-2026-20131, in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22.
attribution
CVE-2026
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity vulnerability, CVE-2026-20131, in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22.
early March 2026
Threat actors exploited a max-severity Cisco vulnerability and notified The National Cybersecurity Alliance (CISA) by early March 2026.
Tactical Metrics
Metrics
infrastructure
10.0
Software Version
Click for context!
The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
added
a flaw in Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management, tracked as
CVE-2026-20131
(CVSS score of 10.0), to its
Known Exploited Vulnerabilities (KEV) catalog
.
Intelligence Sources
Security Affairs
2026-03-04
BleepingComputer
2026-03-04
Cisco warns of max severity Secure FMC flaws giving root access
BleepingComputer
CyberScoop
2026-03-05
Security Affairs
2026-03-19
BleepingComputer
2026-03-20
CISA orders feds to patch max-severity Cisco flaw by Sunday
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:19
Comprehensive Tactical Telemetry
Highly Correlated Entities
26x
organisation
Identified Entity
Kettering Health
entity
15x
attribution
Attributing Entity
SecurityAffairs
authority
13x
timeline
Temporal Reference
September 2024
date
3x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
3x
industry
Targeted Sector
Health
sector
2x
tactic
Cyber Operation Type
Ransomware
tactic
2x
vulnerability
Exploited CVE
CVE-2026-20131
cve
Contextual Telemetry
Context Block
9 METRICS
source region
Origin Country
United States
country
vulnerability
CVSS Score
10
score
infrastructure
Software Version
10.0
version
general metric
Red Report
2,026
red report
general metric
Malicious Samples
1,100,000
malicious samples
general metric
Top Techniques
10
top techniques
general metric
Severity Security Flaws
15
severity security flaws
general metric
Severity Defects
2
severity defects
general metric
Vulnerabilities
48
vulnerabilities
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.