Unauthenticated Root RCE in Cisco Secure Firewall Management Center Web Interface
CVE-2026-20131 is a critical insecure deserialization vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, and reporting also indicates impact to Cisco Security Cloud Control (SCC) Firewall Management. The flaw is caused by deserialization of a user-supplied Java byte stream without adequate validation. An unauthenticated remote attacker can exploit the issue by sending a crafted serialized Java object to the affected management interface. Successful exploitation results in arbitrary Java code execution on the target device and can lead to execution with root privileges. Cisco disclosed the issue on 2026-03-04 and later acknowledged active exploitation in the wild; multiple reports attribute exploitation to the Interlock ransomware group prior to public disclosure.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (3 hidden).
Repository contains a detection script and an RCE PoC for CVE-2026-20131 (Cisco Secure Firewall Management Center Java deserialization). Structure: (1) README.md documents the vulnerability, affected products, and usage. (2) check.py is a safe network probe that POSTs Java serialization magic bytes (0xACED0005) with Content-Type application/x-java-serialized-object to several FMC endpoints (/j_spring_security_check, /api/fmc_platform/v1/auth/generatetoken, /dispatcher, /invoker/JMXInvokerServlet, /invoker/EJBInvokerServlet) and flags HTTP 500/200 as potential deserialization handling. (3) poc.py is an operational PoC exploit that generates a malicious serialized object using an external tool (ysoserial-all.jar executed via local Java) with selectable gadget chains (CommonsCollections*, Spring*, Groovy1) and an attacker-supplied command, then POSTs the payload to likely deserialization endpoints. The exploit is unauthenticated and intended to achieve blind command execution (often inferred from HTTP 500 and/or out-of-band callbacks such as reverse shells or DNS). No persistence is implemented; payload is arbitrary command execution.
Repository contains a claimed working PoC exploit for CVE-2026-20131 targeting Cisco Catalyst SD-WAN Controller (vSmart) and Catalyst SD-WAN Manager (vManage). Structure: (1) `CVE-2026-20131-POC.py` is the main exploit entry point but is PyArmor-obfuscated/encrypted, preventing static extraction of exact request paths, parameters, or hardcoded targets from the provided content. (2) `cmd.jsp` is a JSP webshell payload that executes arbitrary OS commands supplied via the `cmd` HTTP parameter using `bash -c`, returning both stdout and stderr—indicative of post-exploitation persistence/command execution. (3) `README.md` describes capabilities: pre-auth auth bypass, admin privilege gain, ability to create a rogue peer in the SD-WAN control/management plane, and access to NETCONF on TCP/830. Fingerprintable observables available from the repo content are limited to the Telegram URL and the NETCONF port reference; any additional exploit endpoints (e.g., specific vManage/vSmart API paths) are likely embedded inside the obfuscated Python script and are not visible here.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
210 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A network edge device vulnerability that the content states was exploited by the Interlock ransomware group for initial access.
A critical deserialization of untrusted data vulnerability in Cisco Secure Firewall Management Center (FMC) that allowed unauthenticated remote code execution and was exploited as a zero-day by the Interlock Ransomware Group.
A critical remote code execution zero-day in Cisco Secure Firewall FMC that was exploited in the wild and specifically used by Interlock ransomware.
A specific vulnerability listed as suspected to be exploited by Iran-linked actors in real-world campaigns; no further technical detail is provided in the content.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.