CVE-2026-20131: Analysis of FMC RCE

Cisco disclosed a critical CVE-2026-20131 RCE in Secure Firewall Management Center (CVSS 10) that stems from insecure Java deserialization and allows unauthenticated attackers to execute arbitrary Java code and gain root. Evidence of active exploitation was observed beginning March 6, 2026, with attackers using publicly available PoC serialized Java payloads against major U.S. technology and software organizations; CISA added the vulnerability to its Known Exploited Vulnerabilities catalog and mandated remediation.