A critical vulnerability, CVE-2026-20131, has been discovered in the Cisco Secure Firewall Management Center (FMC) software. This flaw allows unauthenticated attackers to execute arbitrary Java code as root on affected devices through a web-based management interface. The issue stems from insecure deserialization of user-supplied Java byte streams and can be exploited by sending specially crafted serialized Java objects to the vulnerable system. Active exploitation has been confirmed, with the Interlock ransomware gang using this vulnerability since late January 2026, even before Cisco released patches on March 4th. The vulnerability affects Cisco's network security infrastructure significantly, including firewalls and various security features such as application control and intrusion prevention systems.
- Cisco Secure Firewall Management Center
- Apply the security updates provided by Cisco for all affected devices as soon as possible.
- Run the following command to check if your device is vulnerable: `nmap -p 80 --script http-cisco-fmc-vuln
`. - Update FMC software to version 7.1.2 or later using the Cisco Software Upgrade Manager (SUM) by accessing the web interface and navigating to System > Manage Software.
The impact on common homelab stacks is severe, as it affects critical network security components that are often part of these environments. Specific software versions impacted include any pre-patch FMC installations using Java for management interfaces.