# CVE-2026-20131

> Maximum-severity (CVSS 10.0) unauthenticated remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) and Security Cloud Control (SCC) caused by insecure deserialization of user-supplied Java byte streams (CWE-502). The management interface accepts and deserializes Java byte streams (magic bytes 0xAC ED 00 05) from untrusted sources without implementing proper input validation, type checking, or object filtering. Attackers can construct malicious object graphs (gadget chains) leveraging existing classpath libraries to achieve arbitrary Java code execution with root 

- **CVSS:** 10 (CRITICAL)
- **EPSS:** 0.8%
- **CISA KEV:** yes (known ransomware use)
- **CWE:** CWE-502

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-20131
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp