# CVE-2026-20265

> Unauthenticated remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) web management interface. The flaw resides in the HTTPS administration endpoint and stems from improper input validation inside the CertEnrollServlet Java servlet, where attacker-controlled XML parameters are deserialized without validation, yielding arbitrary OS command execution as the tomcat user. FMC versions 7.2.0 through 7.6.2 are affected. Actively exploited by Interlock ransomware group using AdaptixC2 framework. CISA KEV added 2026-04-10 with remediation deadline 2026-04-24.

- **CVSS:** 9.8 (CRITICAL)
- **CISA KEV:** yes
- **CWE:** CWE-502, CWE-78, CWE-306

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-20265
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp