Changeflow GovPing Data Privacy & Cybersecurity CISA KEV: Cisco FMC Vulnerability Allows Root J...
Urgent Enforcement Added Final

CISA KEV: Cisco FMC Vulnerability Allows Root Java Code Execution (CVE-2026-20131)

Favicon for www.cisa.gov CISA Known Exploited Vulnerabilities (KEV)
Filed March 19th, 2026
Detected March 20th, 2026
Email

Summary

CISA has added a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability (CVE-2026-20131) allows unauthenticated remote attackers to execute arbitrary Java code as root. Organizations are required to address this vulnerability by April 4, 2026.

View original document View source feed page

What changed

CISA has added CVE-2026-20131, a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability stems from insecure deserialization and allows an unauthenticated, remote attacker to execute arbitrary Java code as root on affected devices. The CVSS score is 10.0 (CRITICAL), with an active exploitation status and high technical impact.

Federal agencies and organizations using affected Cisco FMC versions must implement required mitigations or workarounds by April 4, 2026, to address this known exploited vulnerability. Failure to comply may result in increased scrutiny and potential enforcement actions. Organizations should prioritize patching or applying vendor-recommended mitigations to prevent exploitation.

What to do next

  1. Apply vendor patches or mitigations for Cisco FMC versions affected by CVE-2026-20131.
  2. Review network access controls to limit exposure of FMC management interfaces.
  3. Confirm successful remediation of the vulnerability.

Source document (simplified)

Required CVE Record Information

CNA: Cisco Systems, Inc.

Description

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.

This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.

Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.

CWE 1 Total

Learn more
- CWE-502: Deserialization of Untrusted Data

CVSS 1 Total

Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 10.0 | CRITICAL | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |

Product Status

Learn more Versions 71 Total

Default Status: unknown

affected

  • affected at 6.4.0.13

  • affected at 6.4.0.14

  • affected at 6.4.0.15

  • affected at 6.4.0.16

  • affected at 6.4.0.17

  • affected at 6.4.0.18

  • affected at 7.0.0

  • affected at 7.0.0.1

  • affected at 7.0.1

  • affected at 7.0.1.1

  • affected at 7.0.2

  • affected at 7.0.2.1

  • affected at 7.0.3

  • affected at 7.0.4

  • affected at 7.0.5

  • affected at 7.0.6

  • affected at 7.0.6.1

  • affected at 7.0.6.2

  • affected at 7.0.6.3

  • affected at 7.0.7

  • affected at 7.0.8

  • affected at 7.0.8.1

  • affected at 7.1.0

  • affected at 7.1.0.1

  • affected at 7.1.0.2

  • affected at 7.1.0.3

  • affected at 7.2.0

  • affected at 7.2.1

  • affected at 7.2.2

  • affected at 7.2.0.1

  • affected at 7.2.3

  • affected at 7.2.3.1

  • affected at 7.2.4

  • affected at 7.2.4.1

  • affected at 7.2.5

  • affected at 7.2.5.1

  • affected at 7.2.6

  • affected at 7.2.7

  • affected at 7.2.5.2

  • affected at 7.2.8

  • affected at 7.2.8.1

  • affected at 7.2.9

  • affected at 7.2.10

  • affected at 7.2.10.2

  • affected at 7.2.10.1

  • affected at 7.3.0

  • affected at 7.3.1

  • affected at 7.3.1.1

  • affected at 7.3.1.2

  • affected at 7.4.0

  • affected at 7.4.1

  • affected at 7.4.1.1

  • affected at 7.4.2

  • affected at 7.4.2.1

  • affected at 7.4.2.2

  • affected at 7.4.2.3

  • affected at 7.4.2.4

  • affected at 7.4.3

  • affected at 7.4.4

  • affected at 7.4.5

  • affected at 7.6.0

  • affected at 7.6.1

  • affected at 7.6.2

  • affected at 7.6.2.1

  • affected at 7.6.3

  • affected at 7.6.4

  • affected at 7.7.0

  • affected at 7.7.10

  • affected at 7.7.10.1

  • affected at 7.7.11

  • affected at 10.0.0

References 1 Total

Authorized Data Publishers

Learn more

CISA-ADP

Updated:

2026-03-20

SSVC and KEV, plus CVSS and CWE if not provided by the CNA.

SSVC 1 Total

Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2026-03-04 |

KEV 1 Total

Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20131 (2026-03-19)

Related changes

Favicon for www.cisa.gov CISA KEV: Microsoft SharePoint RCE Vulnerability (CVE-2026-20963)
Urgent Mar 19, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA KEV: Zimbra Collaboration XSS Vulnerability CVE-2025-66376
Urgent Mar 19, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA KEV: Wing FTP Server Path Disclosure Vulnerability
Priority review Mar 17, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.regulations.gov DoD Cyber Incident Reporting and Cloud Computing Information Collection
Priority review Mar 20, 2026 Regs.gov: Defense Acquisition Regulations System Defense & National Security
Favicon for www.ukri.org UKRI Funding for Secure Software Projects
Priority review Mar 20, 2026 UKRI Funding Opportunities (All Councils) Trade & Sanctions
Favicon for edpb.europa.eu EDPB-EDPS Joint Opinion on Cybersecurity Act 2 and NIS 2 Directive Amendments
Priority review Mar 20, 2026 EDPB Documents (GDPR) Data Privacy & Cybersecurity

Source

Favicon for www.cisa.gov
CISA Known Exploited Vulnerabilities (KEV) cisa.gov/known-exploited-vulnerabilities-catalog
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Filed
March 19th, 2026
Compliance deadline
April 4th, 2026 (15 days)
Instrument
Enforcement
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
CVE-2026-20131

Who this affects

Applies to
Technology companies
Industry sector
5112 Software & Technology
Activity scope
Vulnerability Management Network Security
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Vulnerability Management Network Security

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 212 Consumer Protection 36 Courts & Legal 263 Data Privacy & Cybersecurity 60 Defense & National Security 48 Education 20 Energy 102 Environment 83 Government & Legislation 255 Healthcare 116 Housing 15 Immigration 9 Insurance 58 Labor & Employment 110 Pharma & Drug Safety 77 Securities & Markets 74 Tax 53 Telecom & Technology 34 Trade & Sanctions 121 Transportation 56

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.

Free. Unsubscribe anytime.