Cisco FMC Zero-Day CVE-2026-20131: Ransomware Exploited It for 36 Days Before Anyone Knew

CVE-2026-20131 is a CVSS 10.0 insecure deserialization flaw in Cisco Secure Firewall Management Center (FMC). Unauthenticated, remote, root-level RCE — through the web management interface. The Interlock ransomware group exploited it as a zero-day for 36 days before Cisco disclosed and patched it on March 4, 2026. If you run FMC to manage your FTD firewalls, patch first, read later. What Is CVE-2026-20131? The vulnerability is an insecure deserialization flaw in FMC's Java-based web management interface. An unauthenticated attacker sends a crafted Java byte stream — FMC deserializes it without validation — and the attacker gets arbitrary code execution as root on the underlying Linux OS. Attribute Detail CVE CVE-2026-20131 CVSS Score 10.0 (Maximum) Vulnerability Type Insecure deserialization of Java byte stream Attack Vector Network (remote, unauthenticated) Attack Complexity Low Privileges Required None User Interaction None Impact Complete (RCE as root) Affected Product Cisco Secure