Your firewall management console was the breach. Cisco FMC CVE-2026-20131.

What changed

Cisco disclosed CVE-2026-20131, a CVSS 10.0 unauthenticated remote code execution in the web management interface of Cisco Secure Firewall Management Center (FMC). Java deserialization. No authentication required. The Interlock ransomware group exploited it as a zero-day for 36 days before Cisco published a fix on March 4. A public proof-of-concept hit GitHub a week later. CISA added it to the KEV catalog on March 19 with a 3-day remediation deadline, not the standard 14.

There are no workarounds. Cisco says patching is the only remediation. No service toggle, no ACL, no configuration change removes the vulnerability.

What it means for your environment

FMC is not a peripheral system. It is the centralized policy authority for every Cisco FTD firewall it manages. Root on FMC means an attacker can push modified ACL rules, suppress IPS signatures, alter VPN configurations, exfiltrate stored credentials, and pivot to every managed device in the estate. The CVSS vector scores Scope: Changed for exactly this reason. This is not “one box is compromised.” This is “the thing that defines your perimeter security posture is now adversary-controlled.”

The companion vulnerability, CVE-2026-20079 (also CVSS 10.0, authentication bypass), was disclosed the same day. Two independent unauthenticated root paths in the same management interface, on the same date.

If your FMC was reachable from a network that touches the internet between January 26 and March 4, you have a compromise assessment to do, not just a patching ticket. Interlock used a memory-resident Java webshell with no disk artifacts. File-based antivirus will not find it. Indicators to hunt for: outbound HTTP PUT requests from the FMC host, connections to browser-updater.com or os-update-server.org, log files truncated to zero bytes on a recurring schedule, unexplained firewall policy changes pushed to managed FTD devices, and a Firefox 136 user-agent string originating from a Linux management appliance that has no business running a browser.

The post-exploitation chain went deep. Memory-resident webshell to JavaScript RAT to PowerShell enumeration. Linux hosts converted to HAProxy reverse proxies with log erasure every five minutes. ConnectWise ScreenConnect for persistence. Active Directory certificate exploitation. Then ransomware. Known Interlock victims include DaVita, Kettering Health, Texas Tech University, and the City of Saint Paul, which declared a state of emergency.

The MSSP problem is worse. If a managed security provider uses a single on-prem FMC to manage multiple client environments, one FMC compromise is a multi-client incident. That’s not a theoretical scenario; it’s how a lot of midmarket MSSP deployments are architected.

What you need to do

Patch. Fixed versions by branch:

Branch	Minimum fixed version
7.0.x	7.0.9
7.1.x / 7.2.x	7.2.11
7.3.x / 7.4.x	7.4.6
7.6.x	7.6.5
7.7.x	7.7.12
10.0.x	10.0.1

Critical trap: Version 7.4.4 fixes only the companion CVE-2026-20079 (the auth bypass), not CVE-2026-20131 (the deserialization RCE). The floor for 7.4.x is 7.4.6. If your change record shows 7.4.4 and someone closed the ticket, reopen it.

If you’re still on 6.4.x, multi-hop upgrades may require intermediate releases. Check Cisco’s upgrade path tool before scheduling.

Before you start: Take a VM snapshot and a pre-upgrade backup. There is no simple rollback path.

HA upgrade sequence: Pause sync. Upgrade the standby node. After standby completes, upgrade the active node. Promote. Sync (roughly 20 minutes). Deploy any pending policies.

Detection: Snort rules 66082 and 66083 cover this vulnerability. Qualys QIDs 317769 and 317770. If you run Cisco Security Cloud Control (SCC), Cisco auto-patched that for you. On-prem FMC is your responsibility.

If you were exposed during the zero-day window: Engage your IR team. Memory-resident implants mean you’re looking for network artifacts and behavioral indicators, not file hashes. The indicators above are a starting point.

The window

The zero-day exploitation window was January 26 through March 4. The patch has been available for two months. The public PoC has been available since March 11. CISA gave organizations three days, not fourteen. If you haven’t patched yet, you are operating outside every reasonable standard for this vulnerability class.

Budget roughly 60 minutes for the upgrade plus 28 minutes for the reboot per node. Your managed firewalls keep enforcing their last-deployed policy during the FMC upgrade, so the data plane stays up. You lose management visibility for under 90 minutes. That’s a maintenance window, not an outage.

This is Cisco’s latest entry in a decade-long series of Java deserialization CVEs across management platforms: 2015’s broad advisory, 2020’s Security Manager disclosure, 2025’s ISE vulnerability, and now FMC. Java deserialization appears roughly 58 times in the CISA KEV catalog. The pattern is not going to stop. If your patching cadence for management plane appliances runs quarterly or slower, you will keep hitting these windows where the exploit is public and your console is exposed.

PatchDay Alert flagged this in the daily digest the morning it hit KEV. That’s the point of the service: the signal arrives before Monday’s queue buries it.

The patch has been available for two months. The only thing left to decide is which maintenance window you’re scheduling it in, and whether that window is this week or next. Given what Interlock did with the access, I’d argue this week.