What happened
The Cybersecurity and Infrastructure Security Agency (CISA) ordered federal civilian agencies to patch a maximum-severity vulnerability in Cisco Secure Firewall Management Center (FMC) by Sunday, March 22, after adding the flaw to its Known Exploited Vulnerabilities catalog. The issue, tracked as CVE-2026-20131, is a remote code execution vulnerability caused by insecure deserialization in the web-based management interface and allows an unauthenticated attacker to execute arbitrary Java code as root on affected devices. Cisco disclosed the flaw on March 4 and later updated its advisory on March 18 to warn of active exploitation in the wild. Researchers said the Interlock ransomware group had been exploiting the flaw as a zero-day since late January.Â
Who is affected
Federal civilian agencies using vulnerable versions of Cisco Secure Firewall Management Center are directly affected by CISA’s emergency deadline, while private-sector and non-federal organizations running the product are also at risk if they have not applied Cisco’s updates.Â
Why CISOs should care
The flaw affects a centralized management platform for firewalls and other security controls, which means successful exploitation could give attackers privileged access to core network defense infrastructure and enable broader compromise.Â
3 practical actions
- Apply Cisco’s patch immediately. CISA ordered agencies to update or stop using affected Cisco Secure FMC systems by the Sunday deadline.Â
- Review exposure of firewall management interfaces. Limit access to trusted networks and identify any internet-reachable FMC instances.Â
- Check for signs of exploitation. Investigate suspicious HTTP requests, unauthorized code execution, or activity associated with Interlock ransomware operations.Â
For more updates on federal cybersecurity advisories and directives, explore our coverage under the CISA tag.