Cisco FMC Web UI Insecure Deserialization - Arbitrary Code Exec as Root
CVE-2026-20131 Published on March 4, 2026
Cisco Secure Firewall Management Center Software Remote Code Execution Vulnerability
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.
This vulnerability is due to insecure deserialization of a user-supplied Java byte stream. An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.
Note: If the FMC management interface does not have public internet access, the attack surface that is associated with this vulnerability is reduced.
Known Exploited Vulnerability
This Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewa vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.
The following remediation steps are recommended / required by March 22, 2026: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2026-20131 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2026-20131 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2026-20131
Want to know whenever a new CVE is published for Cisco Secure Firewall Management Center? stack.watch will email you.
Affected Versions
Cisco Secure Firewall Management Center (FMC):- Version 7.0.0 is affected.
- Version 7.0.0.1 is affected.
- Version 7.0.1 is affected.
- Version 7.1.0 is affected.
- Version 6.4.0.13 is affected.
- Version 7.0.1.1 is affected.
- Version 6.4.0.14 is affected.
- Version 7.1.0.1 is affected.
- Version 7.0.2 is affected.
- Version 6.4.0.15 is affected.
- Version 7.2.0 is affected.
- Version 7.0.2.1 is affected.
- Version 7.0.3 is affected.
- Version 7.1.0.2 is affected.
- Version 7.2.0.1 is affected.
- Version 7.0.4 is affected.
- Version 7.2.1 is affected.
- Version 7.0.5 is affected.
- Version 6.4.0.16 is affected.
- Version 7.3.0 is affected.
- Version 7.2.2 is affected.
- Version 7.3.1 is affected.
- Version 7.2.3 is affected.
- Version 7.1.0.3 is affected.
- Version 7.2.3.1 is affected.
- Version 7.2.4 is affected.
- Version 7.0.6 is affected.
- Version 7.2.4.1 is affected.
- Version 7.2.5 is affected.
- Version 7.3.1.1 is affected.
- Version 7.4.0 is affected.
- Version 6.4.0.17 is affected.
- Version 7.0.6.1 is affected.
- Version 7.2.5.1 is affected.
- Version 7.4.1 is affected.
- Version 7.2.6 is affected.
- Version 7.4.1.1 is affected.
- Version 7.0.6.2 is affected.
- Version 6.4.0.18 is affected.
- Version 7.2.7 is affected.
- Version 7.2.5.2 is affected.
- Version 7.3.1.2 is affected.
- Version 7.2.8 is affected.
- Version 7.6.0 is affected.
- Version 7.4.2 is affected.
- Version 7.2.8.1 is affected.
- Version 7.0.6.3 is affected.
- Version 7.4.2.1 is affected.
- Version 7.2.9 is affected.
- Version 7.0.7 is affected.
- Version 7.7.0 is affected.
- Version 7.4.2.2 is affected.
- Version 7.2.10 is affected.
- Version 7.6.1 is affected.
- Version 7.4.2.3 is affected.
- Version 7.0.8 is affected.
- Version 7.6.2 is affected.
- Version 7.7.10 is affected.
- Version 7.2.10.1 is affected.
- Version 7.0.8.1 is affected.
- Version 7.6.2.1 is affected.
- Version 7.2.10.2 is affected.
- Version 7.7.10.1 is affected.
- Version 7.4.2.4 is affected.
- Version 7.4.3 is affected.
- Version 7.7.11 is affected.
- Version 7.6.4 is affected.
- Version 10.0.0 is affected.
- Version 7.4.4 is affected.
- Version 7.4.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.