The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a maximum-severity vulnerability, CVE-2026-20131, in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22.
Cisco published a security bulletin about the flaw on March 4, urging system administrators to apply the security updates as soon as possible and warning that no workarounds are available.
The Cisco Secure Firewall Management Center (FMC) is a centralized administration system for critical Cisco network security appliances, such as firewalls, application control, intrusion prevention, URL filtering, and malware protection.
“A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device,” Cisco says in the advisory.
The issue is caused by insecure deserialization of a user-supplied Java byte stream and is exploitable by sending a specially crafted serialized Java object to the web-based management interface of an affected device.
On March 18, the vendor updated its bulletin to warn of active exploitation of CVE-2026-20131 in the wild. Amazon threat intelligence researchers confirmed that threat actors are leveraging the vulnerability in attacks, noting that the Interlock ransomware gang had been exploiting it as a zero-day since the end of January.
Amazon stated that the ransomware threat actor exploited CVE-2026-20131 more than a month before the vendor published the patch.
Interlock ransomware has claimed several high-profile victims since its launch in late 2024, including DaVita, Kettering Health, the Texas Tech University System, and the city of Saint Paul, Minnesota.
The threat actor is also using the ClickFix technique for initial access, as well as custom remote access trojans and malware strains like NodeSnake and Slopoly.
CISA has added CVE-2026-20131 to its Known Exploited Vulnerabilities (KEV) catalog, marking it as “known to be used in ransomware campaigns.”
Given the severity of CVE-2026-20131 and its active exploitation status since late January 2026, CISA gave Federal Civilian Executive Branch (FCEB) agencies only until this Sunday to apply the security updates or stop using the product.
CISA’s deadline is relevant to all entities subject to the Binding Operational Directive (BOD) 22-01, but private firms, state/local governments, and all non-FCEB organizations are still recommended to consider it and act accordingly.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
