CVE-2026-20131
CISA KEVRansomwareMaximum-severity (CVSS 10.0) unauthenticated remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) and Security Cloud Control (SCC) caused by insecure deserialization of user-supplied Java byte streams (CWE-502). The management interface accepts and deserializes Java byte streams (magic bytes 0xAC ED 00 05) from untrusted sources without implementing proper input validation, type checking, or object filtering. Attackers can construct malicious object graphs (gadget chains) leveraging existing classpath libraries to achieve arbitrary Java code execution with root privileges. Tracked as Cisco Bug ID CSCwt14636, advisory cisco-sa-fmc-rce-NKhnULJh. Actively exploited as a zero-day by the Interlock ransomware group since January 26, 2026 — 36 days before Cisco disclosure on March 4, 2026. CISA added to KEV catalog March 19, 2026 with ransomware campaign flag. Attack chain: crafted HTTP requests with serialized Java objects, ELF binary payload delivery, persistent memory-resident Java backdoor (no files on disk), post-exploitation via PowerShell recon, custom JS/Java RATs with SOCKS5 proxy, and ConnectWise ScreenConnect for persistence. No workarounds available.
CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Weaknesses (CWE)
CWE-502
Threats tracking this CVE
References
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
- https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20131