vulnerability

Cisco FMC: CVE-2026-20131: Insecure Deserialization Remote Code Execution

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Mar 4, 2026	Apr 14, 2026	Apr 14, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Mar 4, 2026

Added

Apr 14, 2026

Modified

Apr 14, 2026

Description

A critical insecure deserialization vulnerability exists in the web-based management interface of Cisco Secure Firewall Management Center (FMC). The application fails to properly validate and securely deserialize user-supplied Java byte streams. An unauthenticated, remote attacker can exploit this by sending a crafted serialized Java object to the affected management interface.

Successful exploitation allows the attacker to execute arbitrary Java code with "root" privileges on the underlying operating system, leading to complete system compromise. This flaw has been actively exploited in the wild by ransomware actors (such as Interlock).

Affected Versions: Select Cisco FMC releases including 6.4.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.6.x, 7.7.x, and 10.0.0.
Required Configuration: Any Cisco FMC instance with an exposed web-based management interface.

Solutions

cisco-sa-fmc-upgrade-10_0_1cisco-sa-fmc-upgrade-7_7_12cisco-sa-fmc-upgrade-7_6_5cisco-sa-fmc-upgrade-7_4_6cisco-sa-fmc-upgrade-7_2_11cisco-sa-fmc-upgrade-7_0_9

References

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report