Cisco: Cisco Secure Firewall Vulnerability Exposes Systems to Remote Code Execution by Attackers

Critical Cisco Secure Firewall Flaw Under Active Exploitation (CVE-2026-20131)

Cisco has released urgent security updates to patch a maximum-severity vulnerability (CVE-2026-20131) in its Secure Firewall Management Center (FMC) Software, which is being actively exploited in the wild as of March 2026. The flaw, assigned a CVSS score of 10.0, allows unauthenticated remote attackers to execute arbitrary code with root-level privileges.

Vulnerability Breakdown

The issue stems from insecure deserialization (CWE-502) in the web-based management interface of Cisco Secure FMC. Attackers can exploit it by sending a maliciously crafted serialized Java object, requiring no authentication or user interaction. Successful exploitation grants full control over the affected system.

Discovered by Keane O’Kelley of Cisco’s Advanced Security Initiatives Group during internal testing, the flaw affects:

On-premises Cisco Secure FMC Software (all versions)
SaaS-based Cisco Security Cloud Control (SCC) Firewall Management (now patched via automatic updates)

Notably, Cisco Secure Firewall ASA and FTD Software remain unaffected.

Impact & Response

Due to the lack of workarounds, Cisco has urged all affected organizations to immediately upgrade to fixed software versions. On-premises administrators must manually apply updates, while SaaS users are already protected via Cisco’s routine maintenance.

The company has also confirmed that customers without direct service contracts can obtain patches for free through the Cisco Technical Assistance Center. Publicly exposed FMC interfaces heighten risk, making isolated management networks a recommended precaution.

With exploitation already underway, this vulnerability poses a severe threat to unpatched systems, enabling attackers to compromise firewall management infrastructure at scale.

Source: https://gbhackers.com/cisco-secure-firewall-vulnerability-3/

Cisco Security cybersecurity rating report: https://www.rankiteo.com/company/cisco-security

"id": "CIS1774506416",
"linkid": "cisco-security",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'customers_affected': 'All users of Cisco Secure FMC '
                                              'Software (on-premises and '
                                              'SaaS-based)',
                        'industry': 'Technology/Networking',
                        'location': 'Global',
                        'name': 'Cisco',
                        'size': 'Large',
                        'type': 'Corporation'}],
 'attack_vector': 'Remote',
 'customer_advisories': 'Urgent patching required for on-premises users, SaaS '
                        'users protected via automatic updates',
 'date_detected': '2026-03',
 'date_publicly_disclosed': '2026-03',
 'description': 'Cisco has released urgent security updates to patch a '
                'maximum-severity vulnerability (CVE-2026-20131) in its Secure '
                'Firewall Management Center (FMC) Software, which is being '
                'actively exploited in the wild as of March 2026. The flaw '
                'allows unauthenticated remote attackers to execute arbitrary '
                'code with root-level privileges due to insecure '
                'deserialization in the web-based management interface.',
 'impact': {'brand_reputation_impact': 'Severe',
            'operational_impact': 'Full control over affected systems, '
                                  'potential compromise of firewall management '
                                  'infrastructure',
            'systems_affected': 'Cisco Secure Firewall Management Center (FMC) '
                                'Software'},
 'investigation_status': 'Ongoing',
 'post_incident_analysis': {'corrective_actions': 'Security updates, secure '
                                                  'coding practices review',
                            'root_causes': 'Insecure deserialization in '
                                           'web-based management interface'},
 'recommendations': 'Immediately upgrade to fixed software versions, isolate '
                    'FMC management interfaces, monitor for exploitation '
                    'attempts',
 'references': [{'date_accessed': '2026-03',
                 'source': 'Cisco Security Advisory'}],
 'response': {'communication_strategy': 'Public disclosure, advisories to '
                                        'customers',
              'containment_measures': 'Urgent security updates released, '
                                      'manual patching required for '
                                      'on-premises users',
              'incident_response_plan_activated': 'Yes',
              'network_segmentation': 'Recommended (isolated management '
                                      'networks)',
              'remediation_measures': 'Upgrade to fixed software versions, '
                                      'isolate management networks'},
 'stakeholder_advisories': 'Public disclosure, advisories to customers and '
                           'partners',
 'title': 'Critical Cisco Secure Firewall Flaw Under Active Exploitation '
          '(CVE-2026-20131)',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2026-20131 (Insecure Deserialization - '
                            'CWE-502)'}

Cisco: Cisco Secure Firewall Vulnerability Exposes Systems to Remote Code Execution by Attackers

Vulnerability Breakdown

Impact & Response

Synology: Synology DiskStation Manager Vulnerability Puts Users at Risk of Remote Command Execution Attacks

Asheville Citizen Times: Sorry, this feature isn't currently supported in your country

Sviatlana Tsikhanouskaya's United Transitional Cabinet: Tsikhanouskaya’s Website Hit By Cyberattack On March 25