Threat Intelligence / CVE / CVE-2026-20265

CVE-2026-20265

CISA KEV

CVSS 9.8 (CRITICAL)

Unauthenticated remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) web management interface. The flaw resides in the HTTPS administration endpoint and stems from improper input validation inside the CertEnrollServlet Java servlet, where attacker-controlled XML parameters are deserialized without validation, yielding arbitrary OS command execution as the tomcat user. FMC versions 7.2.0 through 7.6.2 are affected. Actively exploited by Interlock ransomware group using AdaptixC2 framework. CISA KEV added 2026-04-10 with remediation deadline 2026-04-24.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-502, CWE-78, CWE-306

Threats tracking this CVE

Interlock Ransomware Exploits Cisco FMC Zero-Day (CVE-2026-20265) Amid March 2026 CVE Surge — CRITICAL

Full detection coverage & IOCs for threats exploiting CVE-2026-20265 are available via the Threadlinqs MCP server (Purple tier). View plans →

Markdown version · Threadlinqs Intelligence