CISA orders Cisco patch

Cisco rated CVE‑2026‑20131 a maximum‑severity RCE caused by insecure Java deserialization in the web management interface that can let an unauthenticated attacker execute arbitrary Java code as root (CVSS 10.0). (sec.cloudapps.cisco.com) Cisco published the advisory on March 4, 2026 and issued an update on March 18, 2026, and the vendor explicitly stated there are no available workarounds. (sec.cloudapps.cisco.com) CISA added CVE‑2026‑20131 to its Known Exploited Vulnerabilities (KEV) catalog on March 19, 2026, and those KEV additions are tied to Binding Operational Directive (BOD) 22‑01 which mandates accelerated remediation timelines for Federal Civilian Executive Branch agencies. (cisa.gov) Telemetry reported by Amazon’s MadPot sensors and corroborated by multiple incident responders shows the Interlock ransomware group exploited the FMC flaw as a zero‑day beginning around January 26, 2026—weeks before public disclosure. (thehackernews.com) The flaw impacts on‑premises Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC) firewall‑management products, and Cisco noted the attack surface is reduced when the FMC management interface is not reachable from the public Internet. (cisa.gov) Cisco’s patch is the only documented remediation listed by the vendor, CISA’s KEV guidance directs organizations to apply vendor updates per instructions, and multiple security teams are urging immediate patching plus log and signature hunts for indicators of compromise. (sec.cloudapps.cisco.com)