The Cybersecurity and Infrastructure Safety Company (CISA) has ordered federal businesses to patch a maximum-severity vulnerability, CVE-2026-20131, in Cisco Safe Firewall Administration Middle (FMC) by Sunday, March 22.
Cisco printed a safety bulletin in regards to the flaw on March 4, urging system directors to use the safety updates as quickly as doable and warning that no workarounds can be found.
The Cisco Safe Firewall Administration Middle (FMC) is a centralized administration system for crucial Cisco community safety home equipment, reminiscent of firewalls, utility management, intrusion prevention, URL filtering, and malware safety.
“A vulnerability within the web-based administration interface of Cisco Safe Firewall Administration Middle (FMC) Software program might enable an unauthenticated, distant attacker to execute arbitrary Java code as root on an affected machine,” Cisco says within the advisory.
The difficulty is attributable to insecure deserialization of a user-supplied Java byte stream and is exploitable by sending a specifically crafted serialized Java object to the web-based administration interface of an affected machine.
On March 18, the seller up to date its bulletin to warn of lively exploitation of CVE-2026-20131 within the wild. Amazon risk intelligence researchers confirmed that risk actors are leveraging the vulnerability in assaults, noting that the Interlock ransomware gang had been exploiting it as a zero-day for the reason that finish of January.
Amazon said that the ransomware risk actor exploited CVE-2026-20131 greater than a month earlier than the seller printed the patch.
Interlock ransomware has claimed a number of high-profile victims since its launch in late 2024, together with DaVita, Kettering Well being, the Texas Tech College System, and town of Saint Paul, Minnesota.
The risk actor can be utilizing the ClickFix method for preliminary entry, in addition to customized distant entry trojans and malware strains like NodeSnake and Slopoly.
CISA has added CVE-2026-20131 to its Identified Exploited Vulnerabilities (KEV) catalog, marking it as “identified for use in ransomware campaigns.”
Given the severity of CVE-2026-20131 and its lively exploitation standing since late January 2026, CISA gave Federal Civilian Government Department (FCEB) businesses solely till this Sunday to use the safety updates or cease utilizing the product.
CISA’s deadline is related to all entities topic to the Binding Operational Directive (BOD) 22-01, however non-public corporations, state/native governments, and all non-FCEB organizations are nonetheless advisable to think about it and act accordingly.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
