1. Home
  2. Vulnerabilities
  3. CVE-2026-20131
10.0
CRITICAL CVSS 3.1
CVE-2026-20131
"Cisco Secure Firewall Management Center Java Deserialization Root RCE"
Description

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.

INFO

Published Date :

March 4, 2026, 6:16 p.m.

Last Modified :

March 5, 2026, 7:39 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
Affected Products

The following products are affected by CVE-2026-20131 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL [email protected]
CVSS 3.1 CRITICAL MITRE-CVE
Solution
Apply vendor patches to address insecure deserialization that allows arbitrary code execution as root.
  • Update Cisco Secure Firewall Management Center Software to the latest version.
  • Restrict public internet access to the FMC management interface.
  • Apply all available security patches from the vendor.
Public PoC/Exploit Available at Github

CVE-2026-20131 has a 3 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-20131.

URL Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-20131 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-20131 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
p3Nt3st3r-sTAr/CVE-2026-20131-POC

None

Python Java

Updated: 4 days, 4 hours ago
0 stars 0 fork 0 watcher
Born at : March 6, 2026, 7:06 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
Sushilsin/CVE-2026-20131

CVE-2026-20131 — Cisco FMC Insecure Java Deserialization (RCE)

Python

Updated: 2 days, 22 hours ago
1 stars 0 fork 0 watcher
Born at : March 6, 2026, 6:18 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
nomi-sec/PoC-in-GitHub

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 1 day, 5 hours ago
7556 stars 1241 fork 1241 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 761 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-20131 vulnerability anywhere in the article.

  • Hackread - Cybersecurity News, Data Breaches, AI and More
Cisco Patches 48 Firewall Vulnerabilities with Two CVSS 10 Flaws

Cisco has issued security updates addressing dozens of vulnerabilities affecting several of its firewall platforms, including Cisco Secure Firewall Adaptive Security Appliance, Cisco Secure Firewall M ... Read more

Published Date: Mar 06, 2026 (4 days ago)
  • The Hacker News
Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities

Cisco has disclosed that two more vulnerabilities affecting Catalyst SD-WAN Manager (formerly SD-WAN vManage) have come under active exploitation in the wild. The vulnerabilities in question are liste ... Read more

Published Date: Mar 05, 2026 (4 days, 20 hours ago)
  • Help Net Security
Cisco warns of SD-WAN Manager exploitation, fixes 48 firewall vulnerabilities

Cisco has confirmed that two Catalyst SD-WAN Manager vulnerabilities (CVE-2026-20128 and CVE-2026-20122) patched in late February 2025 are being exploited by attackers. The exploited vulnerabilities ( ... Read more

Published Date: Mar 05, 2026 (4 days, 21 hours ago)
  • TheCyberThrone
Two Perfect 10s: Cisco FMC Under Siege

Two unauthenticated remote code execution vulnerabilities — both scoring a perfect 10.0 on the CVSS scale — were disclosed on March 4, 2026 affecting Cisco Secure Firewall Management Center. Either fl ... Read more

Published Date: Mar 05, 2026 (5 days, 9 hours ago)
  • Daily CyberSecurity
Critical 10.0 CVSS Flaw in Cisco Secure FMC Hands Hackers Root Access to Enterprise Firewalls

Cybersecurity researchers have identified a critical vulnerability in Cisco Secure Firewall Management Center (FMC) Software, the administrative “nerve center” used to manage unified security policies ... Read more

Published Date: Mar 05, 2026 (5 days, 10 hours ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-20131 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by [email protected]

    Mar. 04, 2026

    Action Type Old Value New Value
    Added Description A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    Added CWE CWE-502
    Added Reference https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 10.0
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact