CISA Orders Cisco Patch

CISA added CVE‑2026‑20131 to its Known Exploited Vulnerabilities catalog on March 19, 2026, and set a remediation due date of March 22, 2026. (cisa.gov) Cisco’s advisory (cisco‑sa‑fmc‑rce‑NKhnULJh) was first published March 4, 2026 and updated March 18, 2026; it describes an insecure‑deserialization bug in the web UI that allows unauthenticated remote Java code execution as root and assigns a CVSS score of 10.0. (sec.cloudapps.cisco.com) Cloud Security Alliance researchers say the Interlock ransomware gang exploited the FMC flaw for roughly 37 days before Cisco issued the March 4 patch and for about 51 days before public disclosure, with exploitation dating to late January 2026. (labs.cloudsecurityalliance.org) Industry reporting and vendor telemetry tie the active exploitation to January 2026, with AWS and multiple security outlets noting Interlock activity against Cisco FMC beginning in late January. (csoonline.com) The flaw affects Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC); publicly listed affected FMC builds include 7.1.0 through 7.2.5 according to CVE product/version records. (cvedetails.com) Cisco’s advisory states no workarounds are available and notes that removing public internet access to the FMC management interface reduces the attack surface, while independent researchers have published indicators of compromise and timelines to support immediate remediation. (sec.cloudapps.cisco.com)