The Cybersecurity and Infrastructure Safety Company (CISA) has ordered federal businesses to patch a maximum-severity vulnerability, CVE-2026-20131, in Cisco Safe Firewall Administration Heart (FMC) by Sunday, March 22.
Cisco revealed a security bulletin concerning the flaw on March 4, urging system directors to use the security updates as quickly as doable and warning that no workarounds can be found.
The Cisco Safe Firewall Administration Heart (FMC) is a centralized administration system for essential Cisco community security home equipment, similar to firewalls, utility management, intrusion prevention, URL filtering, and malware safety.
“A vulnerability within the web-based administration interface of Cisco Safe Firewall Administration Heart (FMC) Software program might permit an unauthenticated, distant attacker to execute arbitrary Java code as root on an affected gadget,” Cisco says within the advisory.
The difficulty is brought on by insecure deserialization of a user-supplied Java byte stream and is exploitable by sending a specifically crafted serialized Java object to the web-based administration interface of an affected gadget.
On March 18, the seller up to date its bulletin to warn of energetic exploitation of CVE-2026-20131 within the wild. Amazon menace intelligence researchers confirmed that menace actors are leveraging the vulnerability in assaults, noting that the Interlock ransomware gang had been exploiting it as a zero-day because the finish of January.
Amazon acknowledged that the ransomware menace actor exploited CVE-2026-20131 greater than a month earlier than the seller revealed the patch.
Interlock ransomware has claimed a number of high-profile victims since its launch in late 2024, together with DaVita, Kettering Well being, the Texas Tech College System, and town of Saint Paul, Minnesota.
The menace actor can also be utilizing the ClickFix approach for preliminary entry, in addition to customized distant entry trojans and malware strains like NodeSnake and Slopoly.
CISA has added CVE-2026-20131 to its Recognized Exploited Vulnerabilities (KEV) catalog, marking it as “identified for use in ransomware campaigns.”
Given the severity of CVE-2026-20131 and its energetic exploitation standing since late January 2026, CISA gave Federal Civilian Government Department (FCEB) businesses solely till this Sunday to use the security updates or cease utilizing the product.
CISA’s deadline is related to all entities topic to the Binding Operational Directive (BOD) 22-01, however personal corporations, state/native governments, and all non-FCEB organizations are nonetheless really helpful to contemplate it and act accordingly.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your security stack is blinded.
