CVE-2026-20131
Description
Critical CVSS 10.0 RCE in Cisco FMC allows unauthenticated root access via insecure deserialization. Actively exploited and listed on CISA KEV.
CPE
| Product | Version Start | Version End (excl.) | Status |
|---|---|---|---|
| secure_firewall_management_center | 6.4.0.13 | 6.4.0.13 | vulnerable |
| secure_firewall_management_center | 6.4.0.14 | 6.4.0.14 | vulnerable |
| secure_firewall_management_center | 6.4.0.15 | 6.4.0.15 | vulnerable |
| secure_firewall_management_center | 6.4.0.16 | 6.4.0.16 | vulnerable |
| secure_firewall_management_center | 6.4.0.17 | 6.4.0.17 | vulnerable |
| secure_firewall_management_center | 6.4.0.18 | 6.4.0.18 | vulnerable |
| secure_firewall_management_center | 7.0.0 | 7.0.0 | vulnerable |
| secure_firewall_management_center | 7.0.0.1 | 7.0.0.1 | vulnerable |
| secure_firewall_management_center | 7.0.1 | 7.0.1 | vulnerable |
| secure_firewall_management_center | 7.0.1.1 | 7.0.1.1 | vulnerable |
| secure_firewall_management_center | 7.0.2 | 7.0.2 | vulnerable |
| secure_firewall_management_center | 7.0.2.1 | 7.0.2.1 | vulnerable |
| secure_firewall_management_center | 7.0.3 | 7.0.3 | vulnerable |
| secure_firewall_management_center | 7.0.4 | 7.0.4 | vulnerable |
| secure_firewall_management_center | 7.0.5 | 7.0.5 | vulnerable |
| secure_firewall_management_center | 7.0.6 | 7.0.6 | vulnerable |
| secure_firewall_management_center | 7.0.6.1 | 7.0.6.1 | vulnerable |
| secure_firewall_management_center | 7.0.6.2 | 7.0.6.2 | vulnerable |
| secure_firewall_management_center | 7.0.6.3 | 7.0.6.3 | vulnerable |
| secure_firewall_management_center | 7.0.7 | 7.0.7 | vulnerable |
| secure_firewall_management_center | 7.0.8 | 7.0.8 | vulnerable |
| secure_firewall_management_center | 7.0.8.1 | 7.0.8.1 | vulnerable |
| secure_firewall_management_center | 7.1.0 | 7.1.0 | vulnerable |
| secure_firewall_management_center | 7.1.0.1 | 7.1.0.1 | vulnerable |
| secure_firewall_management_center | 7.1.0.2 | 7.1.0.2 | vulnerable |
| secure_firewall_management_center | 7.1.0.3 | 7.1.0.3 | vulnerable |
| secure_firewall_management_center | 7.2.0 | 7.2.0 | vulnerable |
| secure_firewall_management_center | 7.2.0.1 | 7.2.0.1 | vulnerable |
| secure_firewall_management_center | 7.2.1 | 7.2.1 | vulnerable |
| secure_firewall_management_center | 7.2.2 | 7.2.2 | vulnerable |
| secure_firewall_management_center | 7.2.3 | 7.2.3 | vulnerable |
| secure_firewall_management_center | 7.2.3.1 | 7.2.3.1 | vulnerable |
| secure_firewall_management_center | 7.2.4 | 7.2.4 | vulnerable |
| secure_firewall_management_center | 7.2.4.1 | 7.2.4.1 | vulnerable |
| secure_firewall_management_center | 7.2.5 | 7.2.5 | vulnerable |
| secure_firewall_management_center | 7.2.5.1 | 7.2.5.1 | vulnerable |
| secure_firewall_management_center | 7.2.5.2 | 7.2.5.2 | vulnerable |
| secure_firewall_management_center | 7.2.6 | 7.2.6 | vulnerable |
| secure_firewall_management_center | 7.2.7 | 7.2.7 | vulnerable |
| secure_firewall_management_center | 7.2.8 | 7.2.8 | vulnerable |
| secure_firewall_management_center | 7.2.8.1 | 7.2.8.1 | vulnerable |
| secure_firewall_management_center | 7.2.9 | 7.2.9 | vulnerable |
| secure_firewall_management_center | 7.2.10 | 7.2.10 | vulnerable |
| secure_firewall_management_center | 7.2.10.1 | 7.2.10.1 | vulnerable |
| secure_firewall_management_center | 7.2.10.2 | 7.2.10.2 | vulnerable |
| secure_firewall_management_center | 7.3.0 | 7.3.0 | vulnerable |
| secure_firewall_management_center | 7.3.1 | 7.3.1 | vulnerable |
| secure_firewall_management_center | 7.3.1.1 | 7.3.1.1 | vulnerable |
| secure_firewall_management_center | 7.3.1.2 | 7.3.1.2 | vulnerable |
| secure_firewall_management_center | 7.4.0 | 7.4.0 | vulnerable |
| secure_firewall_management_center | 7.4.1 | 7.4.1 | vulnerable |
| secure_firewall_management_center | 7.4.1.1 | 7.4.1.1 | vulnerable |
| secure_firewall_management_center | 7.4.2 | 7.4.2 | vulnerable |
| secure_firewall_management_center | 7.4.2.1 | 7.4.2.1 | vulnerable |
| secure_firewall_management_center | 7.4.2.2 | 7.4.2.2 | vulnerable |
| secure_firewall_management_center | 7.4.2.3 | 7.4.2.3 | vulnerable |
| secure_firewall_management_center | 7.4.2.4 | 7.4.2.4 | vulnerable |
| secure_firewall_management_center | 7.4.3 | 7.4.3 | vulnerable |
| secure_firewall_management_center | 7.4.4 | 7.4.4 | vulnerable |
| secure_firewall_management_center | 7.4.5 | 7.4.5 | vulnerable |
| secure_firewall_management_center | 7.6.0 | 7.6.0 | vulnerable |
| secure_firewall_management_center | 7.6.1 | 7.6.1 | vulnerable |
| secure_firewall_management_center | 7.6.2 | 7.6.2 | vulnerable |
| secure_firewall_management_center | 7.6.2.1 | 7.6.2.1 | vulnerable |
| secure_firewall_management_center | 7.6.3 | 7.6.3 | vulnerable |
| secure_firewall_management_center | 7.6.4 | 7.6.4 | vulnerable |
| secure_firewall_management_center | 7.7.0 | 7.7.0 | vulnerable |
| secure_firewall_management_center | 7.7.10 | 7.7.10 | vulnerable |
| secure_firewall_management_center | 7.7.10.1 | 7.7.10.1 | vulnerable |
| secure_firewall_management_center | 7.7.11 | 7.7.11 | vulnerable |
| secure_firewall_management_center | 10.0.0 | 10.0.0 | vulnerable |
Related weakness (CWE)
Remediation plan
Apply official patches
Consult the Cisco Security Advisory (cisco-sa-fmc-rce-NKhnULJh) to identify and install the specific software updates provided by Cisco to address this insecure deserialization vulnerability.
Update affected systems
Upgrade Cisco FMC software to fixed releases, ensuring all vulnerable versions across the 6.4, 7.0, 7.1, 7.2, 7.3, 7.4, 7.6, and 7.7 branches are patched or moved to a supported, secure version.
Restrict access
Immediately isolate the FMC web-based management interface from the public internet. Use VPNs, jump hosts, or access control lists (ACLs) to ensure only trusted internal IP addresses can reach the interface.
Monitor for exploitation
Review system logs for unauthorized root-level access, unusual Java process spawns, or suspicious HTTP POST requests directed at the management interface that may contain serialized Java objects.
Detection Guidance
Detection should focus on identifying malicious Java deserialization attempts within HTTP traffic to the FMC management interface. Monitor web server logs for high volumes of POST requests to endpoints processing user-supplied data or those containing common deserialization gadget chain signatures. Additionally, use EDR or system auditing tools to flag any unexpected child processes originating from the web server or Java runtime, particularly those resulting in a root-level shell or unauthorized file modifications.