CVE-2026-20131: Unauthenticated RCE via Java Deserialization in Cisco FMC and Security Cloud Control

CVE ID: CVE-2026-20131 Vendor: Cisco Affected Products: Cisco Secure Firewall Management Center (FMC) Software, Cisco Security Cloud Control (SCC) Firewall Management Attack Vector: Network (unauthenticated, remote) CISA KEV Patch Deadline: March 22, 2026

Vulnerability Overview

CVE-2026-20131 is a deserialization of untrusted data vulnerability residing in the web-based management interfaces of Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC) Firewall Management. An unauthenticated remote attacker can send a specially crafted request to the affected interface, triggering unsafe Java deserialization that results in arbitrary code execution with root privileges on the underlying device.

No credentials are required to exploit this flaw. The attack surface is the management plane itself — the component responsible for configuring, monitoring, and controlling Cisco firewall deployments across enterprise environments.

Technical Details

The vulnerability class — deserialization of untrusted data (CWE-502) — is well-understood and consistently weaponizable. Java deserialization flaws allow attackers to supply malicious serialized objects through HTTP or HTTPS requests. When the application deserializes that input without validation, the attacker-controlled object graph executes during reconstruction, often leveraging Java gadget chains (such as those in Apache Commons Collections or Spring Framework) to achieve OS-level code execution.

In this case, exploitation yields a root shell on the FMC or SCC appliance. Because the vulnerability requires no authentication, there is no credential barrier to exploitation. Any network path to the management interface — whether direct, through a misconfigured firewall rule, or via a compromised internal host — is sufficient for a full compromise.

CISA has added CVE-2026-20131 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal civilian executive branch (FCEB) agencies apply available patches by March 22, 2026.

Real-World Impact

Cisco FMC is the centralized management platform for Cisco Firepower next-generation firewalls across large enterprise and government networks. Compromise of FMC does not affect a single firewall — it grants an attacker administrative control over the entire managed firewall estate.

With root access to FMC, an attacker can:

  • Modify or disable firewall policies across all managed Firepower devices, removing security controls network-wide.
  • Exfiltrate network topology data, including firewall rules, access control policies, VPN configurations, and network segment mappings — intelligence directly useful for lateral movement.
  • Deploy persistent implants on the FMC appliance itself, surviving routine remediation efforts that do not include reimaging.
  • Pivot to managed devices by abusing the trust relationship between FMC and connected Firepower sensors.

Organizations running Cisco Security Cloud Control face identical risk on the SCC Firewall Management plane. SCC environments managing cloud-native firewall deployments are exposed through the same deserialization pathway.

Given the unauthenticated nature of the flaw, exploitation does not require prior access or social engineering. Any attacker who can reach the management interface over the network — including through internet-exposed instances — can achieve full compromise in a single step.

Affected Versions

Cisco has not yet published a complete advisory with a full version matrix at the time of this writing. Operators should consult the Cisco Security Advisory portal at https://sec.cloudapps.cisco.com/security/center/publicationListing.x for the authoritative affected version list and available fixed releases.

Patching and Mitigation Guidance

1. Apply Cisco patches immediately. Monitor the Cisco Security Advisory for CVE-2026-20131 and apply fixed software releases as soon as Cisco publishes them. FCEB agencies must patch by March 22, 2026, per CISA directive. All other organizations should treat this timeline as a maximum, not a target.

2. Isolate FMC and SCC management interfaces from untrusted networks. FMC and SCC web management interfaces should never be reachable from the internet or from untrusted internal segments. Place management interfaces on dedicated out-of-band management networks accessible only from administrator workstations and jump hosts.

3. Restrict access to known administrator IP ranges. If patching is delayed, implement host-based or perimeter firewall rules that whitelist only specific administrator source IPs for access to TCP 443 and TCP 8443 on FMC and SCC appliances. This reduces exposure but does not eliminate risk from compromised administrator hosts.

4. Enable enhanced logging and monitor for deserialization payloads. Review web server access logs on FMC for anomalous POST requests, unexpected HTTP 500 responses, or requests with unusually large or binary-structured bodies targeting management endpoints. Correlate with IDS/IPS signatures for Java deserialization gadget chains (e.g., Snort SID sets covering aced0005 magic bytes in HTTP traffic).

5. Audit management interface exposure. Conduct an immediate audit of network access controls governing FMC and SCC management interfaces. Confirm no instance is reachable from external networks, DMZs, or unmanaged internal VLANs. Validate that VPN-gated access is enforced where remote administration is required.

6. Review FMC and SCC integrity. For any FMC or SCC instance that has been internet-accessible or inadequately segmented, treat the appliance as potentially compromised pending a full integrity review. Compare running configurations against known-good baselines and inspect for unauthorized policy modifications or added administrative accounts.

References