External risk intelligence
Cisco Firewall Management could allow external attackers to gain full administrative access.
Cisco Secure Firewall Management Center and Security Cloud Control could allow external attackers to gain full administrative control. This flaw is actively being exploited in ransomware campaigns, potentially causing operational disruption and compromise of your firewall infrastructure.
CVE-2026-20131
Exposure facts
H – Horizon Alert
A security vulnerability has been identified within the web-based management interface of Cisco Secure Firewall Management Center (FMC) software. This issue stems from how the system processes specific data, which could allow an unauthorized remote attacker to execute arbitrary code on the device. This poses a significant business concern, as a successful attack could grant an intruder full administrative control over the management system.
A – Asset Exposure
This vulnerability impacts the web-based management interface used in Cisco Secure Firewall Management Center and Cisco Security Cloud Control. If these interfaces are connected to the public internet, external attackers could potentially gain unauthorized, root-level access to the management appliance. This compromise could jeopardize the security of your firewall management and any connected operational systems.
L – Live Threat
This vulnerability is subject to active exploitation and has been officially added to the CISA Known Exploited Vulnerabilities catalog. There is documented evidence of this flaw being utilized in known ransomware campaigns that are targeting enterprise firewalls. Because this issue allows unauthorized attackers to potentially gain complete control over the management interface, the current risk level is elevated.
O – Operational Fix
Please prioritize applying the official security mitigations provided by the vendor to your Cisco firewall management systems. As an immediate protective measure, verify that these management interfaces are restricted from direct public internet access, which effectively reduces the potential attack surface. We recommend coordinating with your engineering and security teams to implement these vendor-supplied updates promptly to ensure your infrastructure remains protected.
References
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
- https://aws.amazon.com/blogs/security/amazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20131